An anonymous reader cites an Ars Technica report. Researchers have discovered malware designed to disrupt power transmission and could be used by the Russian government in training exercises to create or respond to cyberattacks on power grids. Known as CosmicEnergy, the malware has capabilities comparable to those found in malware known as Industroyer and Industroyer2, which researchers have widely attributed to Sandworm, the name of one of the Kremlin’s most skilled and relentless hacking groups.
Researchers at Mandiant, the security company that discovered CosmicEnergy, wrote: “COSMICENERGY is the latest example of specialized OT malware capable of causing cyber-physical effects that are rarely detected or disclosed. What makes COSMICENERGY unique is that it is a contractor based on our analysis. may have developed it as a red team tool for power outage simulation exercises organized by Russian cyber security firm Rostelecom-Solar. INDUSTROYER and INDUSTROYER.V2, both of which were malicious variants previously applied to power and distribution via IEC-104. Given that threat actors are using red team tools and public exploit frameworks for targeted threat activity in the wild, we believe COSMICENERGY poses a real threat to affected power grid assets. Owners of OT assets using IEC-104-compliant devices should take measures to prevent the potential for COSMICENERGY to be located in the field.”
The link is indirect at this point and is mostly limited to a comment found in the code that suggests it works with software for Kremlin-sponsored training exercises. Consistent with the theory that CosmicEnergy is being used in so-called Red Team exercises that mimic hostile hackers, the malware lacks the ability to infiltrate a network to obtain the environmental information needed to launch an attack. The malware includes hard-coded data object addresses that are typically associated with power switches or switches, but these mappings must be tailored for a specific attack as they vary from manufacturer to manufacturer. “Therefore, the specific actions intended by the actor are unclear without additional knowledge of the target assets,” Mandiant researchers wrote.