Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Understanding COSMICENERGY, an Emerging OT Malware
When thinking of malware, we often consider the impact on the targeted organization’s data and IT systems. However, security researchers with Mandiant have identified a new OT/ICS-oriented malware, COSMICENERGY, which leverages electric power disruption to cause physical security impacts. Mandiant compares the malware’s capabilities to those in the Industroyer and Industroyer2 malware variants, which were both also deployed to impact and disrupt electric transmission. Russia has historically targeted Ukraine’s electrical grids—including missile and drone attacks in November 2022—that resulted in Ukrainian civilians being left without power, water, or heat. While missiles and drones caused these attacks, the possession of a malware variant that can cause power outages would allow Russia to continue targeting Ukraine without undertaking significant kinetic military efforts.
In 2016, the Ukrainian capital of Kiev was hit with a blackout caused by a cyberattack. The malware, Industroyer, directly interfered with the operation of industrial hardware and was developed to exploit weaknesses in ICS systems and the communication protocols they used. The Industroyer attack was attributed to Sandworm Team, a Russia-linked APT group known for the targeting of Ukraine. This blog post covers the COSMICENERGY malware and the potential impacts looking forward.
The initial access vector for COSMICENERGY is not known at the time of writing. However, there is an Even Chance that the malware is deployed via the exploitation of vulnerabilities or social engineering tactics. Mandiant notes that Industroyer previously used an MSSQL server as a conduit to access OT systems, which allowed the threat actors to send remote commands to affect the operation of power line switches and circuit breakers. COSMICENERGY uses two components to achieve this action: PIEHOP and LIGHTWORK.
PIEHOP is a Python-based disruption tool that, as Mandiant writes, connects to a user-supplied remote MSSQL server for issuing commands to a remote terminal unit (RTU). Unlike a programmable line controller (PLC), an RTU typically contains remotely accessible presets and dashboards and provides access to multiple sites. This feature Likely makes an RTU an attractive target for remote threat actors, as they can cause a significant impact on the organization and the citizens of the targeted geography. Russia has consistently attempted to conduct attacks that push Ukrainian citizens to lose trust in their government. An attack that leaves the citizens of Ukraine without heat and power would Likely aid in that goal.
LIGHTWORK, according to Mandiant, is disruption tool based in C++ that PIEHOP leverages to enter the IEC-104 commands to turn the RTU on or off and then delete the executable. Mandiant writes that the LIGHTWORK sample they reviewed “includes eight hardcoded IEC-104 information object addresses (IOA) which typically correlate with input or output data elements on a device […] However, IOA mappings often differ between manufacturers, devices, and even environments.” This indicates that there is an Even Chance that the threat actors developed this to target specific victims. Because the COSMICENERGY malware lacks discovery capabilities, successful attack execution is dependent on internal reconnaissance techniques that target individuals.
The origin of COSMICENERGY is not known. However, Mandiant found that a unique comment in the code matched a cyber range developed by Rostelecom-Solar, a Russian cybersecurity company that started training cybersecurity experts on “electric power disruption and emergency response exercises” in 2019. There is an Even Chance that COSMICENERGY was created to recreate real attack scenarios against grid assets for training purposes.
However, there is an Even Chance that another threat actor took the code – with or without permission – and created a new malware strain that could be used to target the ICS of other countries, including Ukraine and Western-supporting countries.
Mandiant researchers stated that the identification of COSMICENERGY highlights multiple trends in the OT threat landscape, including the abuse of insecure by design protocols, such as IEC-104.
COSMICENERGY does not appear to be significantly more different, sophisticated, or notable than any of the previous OT malware variants that Mandiant found comparable, including IRONGATE, TRITON, and INCONTROLLER. They all use third-party libraries, target and abuse insecure design protocols, and operate in similar ways. Russia-linked threat actors have historically used OT malware to target ICS in other countries, particularly Ukraine, since at least 2015. However, the discovery of a new variant, no matter how similar, poses a significant threat to the landscape. Given the current Russia-Ukraine war, it is Likely that threat actors will begin targeting Ukrainian and Western-supporting countries with COSMICENERGY over the next 30 days.
If COSMICENERGY was developed as a red teaming tool to simulate real attack scenarios on electrical grids, then this discovery highlights the consistent use of legitimate tools by threat actors to conduct malicious attacks. Threat actors, including both APT and cybercriminal groups, are often observed using legitimate tools, including Cobalt Strike, Metasploit, and BloodHound. It is Likely that threat actors will continue to use open-source, publicly available, and legitimate tools to conduct malicious attacks over the next 12 months.
Optiv’s Global Threat Intelligence Center (gTIC) recommends the following mitigations to protect OT systems from the COSMICENERGY malware:
Read more of gTIC’s related threat intelligence in the Vertical Target Series: Energy and Utilities white paper and Russia/Ukraine Update – May 2023 blog post.
Optiv Security: Secure greatness.®
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
May 30, 2023
Optiv's gTIC addresses the latest cyberattacks launched in the Russia-Ukraine war.
April 28, 2023
Cybercriminals see energy and utilities organizations as attractive targets. Optiv's gTIC team reports which adversaries pose significant risks.
March 10, 2023
Regulations are nothing new for utility or oil and gas companies, but for organizations in other industries these regulations could mean they need to....
Let us know what you need, and we will have an Optiv professional contact you shortly.