A Russian software capable of shutting off (or on) industrial machinery, with parallels to some of the world’s most dangerous industrial malware, has been spotted publicly idling on VirusTotal (VT).
Researchers from Mandiant spotted “CosmicEnergy” recently, noting that it had been uploaded by a Russian user back in December 2021. The mystery only deepened with one particular comment in the code — evidence that the tool may have been designed for a power disruption red-team exercise hosted by the Russian cybersecurity company Rostelecom-Solar.
“We consider it … possible that a different actor — either with or without permission — reused code associated with the cyber-range to develop this malware,” the researchers speculated in a blog post on May 25.
Far from any ordinary VT sample or red-team tool, CosmicEnergy “poses a plausible threat to affected electric grid assets,” they explained, thanks to its ability to manipulate a type of industrial control device called a remote terminal unit (RTU).
An RTU is a special type of industrial controller which uses telemetry to interface between industrial machines and their control systems. Its function is relatively simple — receiving data, and passing it on for analysis — but, crucially, it’s capable of toggling automated industrial processes on and off.
In many ways, CosmicEnergy is modeled after Industroyer — the first malware designed to take down an electric grid — particularly Industroyer’s newest variant, deployed last year by the Russian advanced persistent threat (APT) Sandworm in an attack against Ukraine. The researchers also likened it to some of the other most devilish programs to ever touch industrial networks, including Irongate, Ironcontroller, and Triton/Trisis.
To Daniel Kapellmann Zafra, Mandiant analysis manager at Google Cloud, CosmicEnergy demonstrates just how approachable malware designed for kinetic damage can be. “They’ve already learned how to do it; that is what makes it very concerning,” he says.
What to Know About CosmicEnergy Malware
Using CosmicEnergy, an attacker could cause power disruption simply by sending a command to trip a power-line switch or circuit breaker. It achieves this with two components.
First, PieHop is a Python-based tool that connects an attacker-controlled MSSQL server with an RTU at a targeted industrial site.
PieHop then uses the second component, Lightwork, a C++-based tool, to take advantage of an RTU’s toggling capabilities, modifying the state of the RTU before erasing the executable from the targeted system.
The researchers did note that “the sample of PieHop we obtained contains programming logic errors that prevent it from successfully performing its IEC-104 control capabilities,” but added that “we believe these errors can be easily corrected.”
Industrial RTUs Are Insecure by Design
From the outside, one might assume that a device in control of sensitive industrial processes would be armed to the teeth with security. But that couldn’t be further from the truth.
“Most often there is no additional security at this point,” Mandiant’s Kapellmann Zafra says of the RTU, and similar controllers. “It’s a trend, that the recent types of malware families that we’ve been seeing in OT are taking advantage of protocols that are open.”
RTUs are victim to the “insecure by design” phenomenon, named and popularized more than a decade ago by the industrial security influencer Dale Peterson. The idea, in short, is that industrial machines are often designed to operate in trusted environments, without security in mind, due to age, complexity, and other factors. Often, their features — the very functions detailed in their manuals — could, in a security context, be construed as vulnerabilities.
To anyone used to IT, it will sound backward that, for example, RTUs don’t even apply basic encryption to their inbound or outbound data flows. As Kapellmann Zafra explains, “when you’re working with data from a traditional IT perspective, what you really want to make sure of is that no one can get access to the data. However, in the case of OT security, this data is supporting a process. So what you care the most about is that this piece of data fulfills its purpose, and your process continues operating how it was expected to operate.”
In other words, data security is lower on the totem pole than safety and reliability. “The priorities from an OT standpoint are different, and based on that we don’t implement security controls that might interfere with a cyber-physical process,” the researcher says.
Because there’s such an openness to these otherwise critical devices, defending against CosmicEnergy — or Industroyer or Triton, for that matter — requires consideration and proactiveness. “It’s not as simple as having all kinds of different security solutions,” Kapellmann Zafra says.
He highlights detection as the key. “Because even though we have the rules and IoCs for the malware, what we’re seeing with these types of implementations is that, oftentimes, you can’t just run a rule and expect you’re going to find it. You have to keep your eyes open for behaviors that are not expected.”