Get in Touch
CosmicEnergy malware targets industrial systems within the region of Europe, the Middle East and Asia.
A Russian user uploaded a malware sample, tracked as ‘CosmicEnergy’, to VirusTotal in December 2021. The malware interacts with IEC 60870-5-104 (IEC-104) equipment, such as remote terminal units (RTUs), which are frequently used in electric transmission and distribution operations in Europe, the Middle East and Asia to disrupt electric power. CosmicEnergy likely gains access to the target’s operational technology (OT) systems via compromised MSSQL servers using the Piehop disruption tool.
- Data Breaches: A primary objective of CosmicEnergy is to steal sensitive data. This can include personally identifiable information (PII), financial records, intellectual property, or classified government information. Data breaches resulting from CosmicEnergy can lead to identity theft, reputational damage, and legal repercussions.
- Financial Losses: It is likely that organisations targeted by CosmicEnergy will experience significant financial losses. This can result from theft of financial data, disruption of operations, remediation costs, legal expenses, fines, and the potential loss of customers or business opportunities.
- Operational Disruption: CosmicEnergy has the ability to interfere with an organisation’s regular business activities. The malware may compromise vital infrastructure, networks, or systems, resulting in service interruptions, downtime, and lost productivity.
- Compromised Infrastructure: CosmicEnergy targets sectors associated with crucial infrastructure, including energy, healthcare, or transportation. As such, it is almost certain that a successful CosmicEnergy attack will have disastrous repercussions by interfering with crucial services and therefore endangering public safety.
A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against malware threats such as CosmicEnergy. EDRs can alert system users of potential breaches and prevent further progress prior to the malware causing severe damage.
- Industrial Control Systems (ICS): Certain variants of CosmicEnergy have shown the capability to target industrial control systems used in critical infrastructure sectors such as energy, water treatment, transportation, and manufacturing. These systems include programmable logic controllers (PLCs), human-machine interfaces (HMIs), and supervisory control and data acquisition (SCADA) systems.
- Internet of Things (IoT) Devices: CosmicEnergy can potentially target IoT devices connected to networks, including smart home devices, surveillance cameras, routers, or industrial IoT devices. Vulnerable IoT devices can serve as entry points for the malware to gain access to the network or launch further attacks.
Containment, Mitigations and Remediations
As mentioned previously, it is recommended that a EDR solution is implemented which will allow for the prevention of potential attacks from malware threats, such as CosmicEnergy.
Indicators of Compromise
CosmicEnergy Associated File Hashes (SHA-256)
CosmicEnergy is one of many new malware variants used in the prominent threat to key national infrastructure. The increased targeting of industrial systems is due to the rising geopolitical tension between nations leading to the enhanced attack efforts of state-sponsored advanced persistent threat groups. Due to the widespread usage of industrial control systems within various operations in CNI, it has become a prominent target for groups as disruption on a national scale can be achieved, if successful.
Due to the use of complex obfuscation techniques and the involvement of state-sponsored or highly competent threat groups, attribution can be difficult when dealing with malware like CosmicEnergy. However, the malware has been linked to Russia as a sample was uploaded to VirusTotal in December of 2021 by a user that was associated with a Russian IP address.
ICS Tactic: Execution
– T0807 – Command-Line Interface
ICS Tactic: Inhibit Response Function
– T0809 – Data Destruction
ICS Tactic: Impair Process Control
– T0855 – Unauthorized Command Message
ICS Tactic: Impact
– T0831 – Manipulation of Control