Fri | May 26, 2023 | 12:47 PM PDT

Security researchers at Mandiant have recently made a significant discovery in the realm of industrial control system (ICS) malware. Named "CosmicEnergy," this specialized operational technology (OT) malware poses a potential threat to critical infrastructure systems and electric grids.

Mandiant's findings shed light on the similarities between CosmicEnergy and previous malware used to target power grids, including the infamous Industroyer incident that caused power outages in Ukraine in 2016.

The identification of this new Russian-linked malware underscores the urgent need for energy firms to take immediate action to mitigate the potential risks it poses.

Mandiant discusses the newly discovered malware: 

"COSMICENERGY is the latest example of specialized OT malware capable of causing cyber physical impacts, which are rarely discovered or disclosed.

What makes COSMICENERGY unique is that based on our analysis, a contractor may have developed it as a red teaming tool for simulated power disruption exercises hosted by Rostelecom-Solar, a Russian cyber security company.

Analysis into the malware and its functionality reveals that its capabilities are comparable to those employed in previous incidents and malware, such as INDUSTROYER and INDUSTROYER.V2, which were both malware variants deployed in the past to impact electricity transmission and distribution via IEC-104."

Researchers stumbled upon CosmicEnergy through proactive threat hunting rather than in response to a specific cyberattack on critical infrastructure.

What sets CosmicEnergy apart from previous OT malware targeting energy grids is the potential reuse of code associated with a cyber range. Mandiant suggests that a threat actor, either with or without permission, may have repurposed code from the cyber range to develop this malware.

This trend indicates a concerning shift, as threat actors leverage knowledge from past attacks to create new offensive tools, potentially lowering the barriers to entry for attacking OT systems. CosmicEnergy's functionality aligns with other malware variants that target industrial control systems, making it a plausible threat to affected electric grid assets.

While no CosmicEnergy attacks have been observed in the wild, the absence of discovery capabilities implies that attackers would need to perform internal reconnaissance to gather crucial environment information before launching an attack.

Organizations involved in electricity transmission and distribution, particularly those leveraging IEC-104 compliant devices, should take immediate action to preempt potential deployment of CosmicEnergy.

The discovery of new OT malware poses an immediate threat since such discoveries are rare, and the malware exploits inherent vulnerabilities in OT environments that are unlikely to be quickly remedied.

As threat actors continue to adapt and repurpose tools, organizations must stay vigilant, enhance their threat hunting capabilities, and deploy effective detection mechanisms. Collaboration between cybersecurity experts, government agencies, and industry stakeholders is crucial to ensure the resilience of energy grids and other critical infrastructure in the face of emerging threats like CosmicEnergy.

For more information on CosmicEnergy, read Mandiant's report,  COSMICENERGY: New OT Malware Possibly Related To Russian Emergency Response Exercises.

Follow SecureWorld News for more stories related to cybersecurity.