Description

Mandiant found a novel malware called 'COSMICENERGY' that is attributed to the Russian cybersecurity organization Rostelecom-Solar (formerly known as Solar Security) and is designed to disrupt industrial systems. COSMICENERGY malware primarily targets IEC-104-compliant remote terminal units (RTUs), which are widely used in power transmission and distribution operations throughout Asia, Europe, and the Middle East. The COSMICENERGY malware is Python-based and uses open-source libraries to build the OT protocol, similar to other malware strains that target industrial control systems like as IronGate, Triton, and Incontroller. COSMICENERGY is expected to get access to the target's OT systems via a compromised MSSQL server using the Piehop disruption tool. After gaining access to the victim's network, the attackers can remotely manipulate RTUs by providing IEC-104 'ON' or 'OFF' instructions using the Lightwork malicious malware. Mandiant claims COSMICENERGY was created by Russian cybersecurity firm Rostelecom-Solar as a red teaming tool to replicate disruption operations. COSMICENERGY malware initially resembled earlier Operation Technology (OT) malware Industroyer and Industroyer.V2, which were used in attacks against Ukrainian energy supplies in December 2016 and April 2022, respectively. During the research, Mandiant discovered a remark in the malware code indicating that the sample used a module associated with the 'Solar Polygon' project.