New Russian-linked malware developed to just take down electric power networks has been discovered by Mandiant threat scientists, who have urged vitality firms to choose motion to mitigate this “immediate threat.”
The specialised operational technology (OT) malware, dubbed COSMICENERGY, has similarities to malware utilised in past assaults concentrating on electricity grids, which includes the ‘Industroyer’ incident that took down power in Kiev, Ukraine in 2016.
COSMICENERGY is designed to disrupt electric powered electricity by interacting with IEC 60870-5-104 (IEC-104) standard products, this sort of as remote terminal units. These units are normally made use of in electric transmission and distribution operations in Europe the Center East and Asia.
Equally, in the Industroyer attack in 2016, thought to have been perpetrated by Russian APT team Sandworm, the malware issued IEC-104 ON/OFF instructions to interact with RTUs, and could have manufactured use of an MSSQL server as a conduit technique to entry OT.
This enabled attackers to mail remote instructions to affect the actuation of electrical power line switches and circuit breakers, therefore creating electrical power disruption.
Mandiant reported that COSMICENERGY was uploaded to a public malware scanning utility by a submitter in Russia in December 2021. Interestingly, from its subsequent examination, the firm thinks Russian cybersecurity enterprise Rostelecom-Photo voltaic or a contractor may have originally developed the malware for training purposes – to recreate true attack eventualities towards electrical power grid assets.
Mandiant scientists mentioned it is then attainable that a threat actor, with or without authorization, reused code connected with the cyber vary to develop this malware.
This tends to make COSMICENERGY unique from earlier OT malware intended to choose down strength grids – as threat actors are leveraging knowledge from prior attacks to generate new offensive applications, therefore lowering he barrier to entry to attack OT programs.
This is specifically concerning “since we ordinarily notice these types of abilities limited to perfectly resourced or state sponsored actors.”
Thus, the researchers warned: “Given that threat actors use pink team equipment and public exploitation frameworks for targeted risk activity in the wild, we believe COSMICENERGY poses a plausible threat to affected electrical grid belongings. OT asset owners leveraging IEC-104 compliant gadgets should really just take action to preempt likely in the wild deployment of COSMICENERGY.”
The crew famous that COSMICENERGY lacks discovery abilities, “which indicates that to successfully execute an attack the malware operator would have to have to perform some internal reconnaissance to obtain surroundings info.”
Some parts of this article are sourced from:
www.infosecurity-magazine.com