Mandiant discovered a new malware called CosmicEnergy in May. The malware is designed to attack industrial control systems (ICS) in the electric grid. CosmicEnergy can remotely manipulate power line switches and circuit breakers, but it lacks operational capability. The malicious software is attributed to Russian threat actors, who would most likely employ it to attack remote terminal units (RTUs) in Eurasia.
CosmicEnergy has two main components. LightWork implements the IEC104 communication protocol to turn RTUs on and off. PieHop connects to a Microsoft SQL Server to upload files and issue RTU commands. Dragos determined the malware lacks attack capabilities and is immature compared to other ICS malware used most recently in Ukraine. Dragos noted that CosmicEnergy was seemingly developed for training scenarios, and Mandiant suggested Russian cybersecurity firm Rostelecom-Solar may have created it for red teaming. Advisors recommend monitoring Microsoft SQL servers closely to mitigate vulnerability to this type of malware.
Read More: