Cryptic malware specifically crafted to incapacitate industrial systems.
A new strain of malware capable of infiltrating and disrupting crucial industrial systems, such as power plants, has been discovered and linked to a Russian telecom firm. The malware, named “CosmicEnergy,” was initially detected through threat hunting rather than an actual attack on critical infrastructure. This discovery raises concerns for operators of critical infrastructure, as they are increasingly targeted by both criminal and nation-backed hackers.
Researchers from Mandiant, a cybersecurity firm, suspect that the malware was developed by Rostelecom-Solar, the cybersecurity division of a major Russian telecom company. The code contains references to “Solar Polygon,” which aligns with a Russian government project for electric power disruption exercises and cybersecurity training. CosmicEnergy shares similarities with Industroyer, a previous industrial-focused malware used during the 2016 Ukrainian winter blackout.
The malware utilizes python scripts and tools like PieHop and Lightwork to control remote terminal units (RTUs) responsible for managing industrial systems. Notably, CosmicEnergy can target the widely used IEC-104 protocol, providing flexibility for potential attackers. While the origin and purpose of the malware remain unclear, the incident highlights the growing sophistication in developing purpose-built code to target critical systems.