CosmicEnergy malware emerges

Target Industry

CosmicEnergy malware targets industrial systems within the region of Europe, the Middle East and Asia.

Overview

A Russian user uploaded a malware sample, tracked as ‘CosmicEnergy’, to VirusTotal in December 2021. The malware interacts with IEC 60870-5-104 (IEC-104) equipment, such as remote terminal units (RTUs), which are frequently used in electric transmission and distribution operations in Europe, the Middle East and Asia to disrupt electric power. CosmicEnergy likely gains access to the target’s operational technology (OT) systems via compromised MSSQL servers using the Piehop disruption tool.

Impact

• Data Breaches: A primary objective of CosmicEnergy is to steal sensitive data. This can include personally identifiable information (PII), financial records, intellectual property, or classified government information. Data breaches resulting from CosmicEnergy can lead to identity theft, reputational damage, and legal repercussions.
• Financial Losses: It is likely that organisations targeted by CosmicEnergy will experience significant financial losses. This can result from theft of financial data, disruption of operations, remediation costs, legal expenses, fines, and the potential loss of customers or business opportunities.
• Operational Disruption: CosmicEnergy has the ability to interfere with an organisation’s regular business activities. The malware may compromise vital infrastructure, networks, or systems, resulting in service interruptions, downtime, and lost productivity.
• Compromised Infrastructure: CosmicEnergy targets sectors associated with crucial infrastructure, including energy, healthcare, or transportation. As such, it is almost certain that a successful CosmicEnergy attack will have disastrous repercussions by interfering with crucial services and therefore endangering public safety.

Vulnerability Detection

A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against malware threats such as CosmicEnergy. EDRs can alert system users of potential breaches and prevent further progress prior to the malware causing severe damage.

Affected Products

• Industrial Control Systems (ICS): Certain variants of CosmicEnergy have shown the capability to target industrial control systems used in critical infrastructure sectors such as energy, water treatment, transportation, and manufacturing. These systems include programmable logic controllers (PLCs), human-machine interfaces (HMIs), and supervisory control and data acquisition (SCADA) systems.
• Internet of Things (IoT) Devices: CosmicEnergy can potentially target IoT devices connected to networks, including smart home devices, surveillance cameras, routers, or industrial IoT devices. Vulnerable IoT devices can serve as entry points for the malware to gain access to the network or launch further attacks.

Containment, Mitigations and Remediations

As mentioned previously, it is recommended that a EDR solution is implemented which will allow for the prevention of potential attacks from malware threats, such as CosmicEnergy.

Indicators of Compromise

CosmicEnergy Associated File Hashes (SHA-256)

– 358f0f8c23acea82c5f75d6a2de37b6bea7785ed0e32c41109c217c48bf16010

– 7dc25602983f7c5c3c4e81eeb1f2426587b6c1dc6627f20d51007beac840ea2b

– 8933477e82202de97fb41f4cbbe6af32596cec70b5b47da022046981c01506a7

– 182d6f5821a04028fe4b603984b4d33574b7824105142b722e318717a688969e

– 90d96bb2aa2414a0262d38cc805122776a9405efece70beeebf3f0bcfc364c2d

– 740e0d2fba550308344b2fb0e5ecfebdd09329bdcfaa909d3357ad4fe5552532

Threat Landscape

CosmicEnergy is one of many new malware variants used in the prominent threat to key national infrastructure. The increased targeting of industrial systems is due to the rising geopolitical tension between nations leading to the enhanced attack efforts of state-sponsored advanced persistent threat groups. Due to the widespread usage of industrial control systems within various operations in CNI, it has become a prominent target for groups as disruption on a national scale can be achieved, if successful.

Threat Group

Due to the use of complex obfuscation techniques and the involvement of state-sponsored or highly competent threat groups, attribution can be difficult when dealing with malware like CosmicEnergy. However, the malware has been linked to Russia as a sample was uploaded to VirusTotal in December of 2021 by a user that was associated with a Russian IP address.

Mitre Methodologies

ICS Tactic: Execution

– T0807 – Command-Line Interface

ICS Tactic: Inhibit Response Function

– T0809 – Data Destruction

ICS Tactic: Impair Process Control

– T0855 – Unauthorized Command Message

ICS Tactic: Impact

– T0831 – Manipulation of Control

Further Information

COSMICENERGY: New OT Malware Possibly Related To Russian Emergency Response Exercises | Mandiant

CosmicEnergy Malware Emerges, Capable of Electric Grid Shutdown (darkreading.com)

CosmicEnergy: The New Russian-Linked Malware Targets Industrial System (heimdalsecurity.com)