Home / Threat Intelligence bulletins / New malware strain COSMICENERGY discovered by Mandiant

Target Industry

Critical national infrastructure (CNI), industry.


Google’s subsidiary group Mandiant has discovered a new strain of malware named COSMICENERGY, which was developed to exploit and disrupt industry energy systems. The malware was likely originally developed by the Russian cyber security company Rostelecom-Solar as a red teaming tool to simulate disruption to critical energy systems.

The malware can initiate remote commands to various mechanisms such as circuit breakers to cause mass disruption. This is done through initially infecting an SQL server with access to remote terminal units and executing the tools PIEHOP and LIGHTWORK that are used to send remote commands to the remote terminal units using the IEC-104 protocol.

Although the malware poses a serious threat to various organisations with industrial operations such as national power suppliers or manufacturers, no evidence has been identified to suggest that the malware has been used in any known incidents.


Due to the nature of the malware being capable of disrupting the industrial sector and CNI, such as national power services, a successful attack could lead to large-scale disruption of energy supply or the supply of vital products. In turn, this could cause potential loss of life due to energy black-outs or the delivery of essential products like medical equipment to be halted.

Vulnerability Detection

A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against ransomware threats such as COSMICENERGY. EDRs can alert system users of potential breaches and prevent further progress, prior to the malware being able to implement significant damage.

Affected Products

SQL databases that interact with industrial remote terminal units using IEC-104 protocol.

Containment, Mitigations & Remediations

As mentioned previously, it is recommended that an EDR solution is implemented which will allow for the prevention or mitigation of potential attacks from a wide range of threats in real time.

All devices should implement the most recent vendor updates available as these will contain updates to their security features to help prevent exploitation from known threats.

Creation, modification and execution of python scripts should be restricted and limited where possible as the main tools used by the malware are python based and are executed from ‘.py’ files.

Indicators of Compromise

COSMICENERGY associated file hashes (SHA256):

  • 358f0f8c23acea82c5f75d6a2de37b6bea7785ed0e32c41109c217c48bf16010
  • 7dc25602983f7c5c3c4e81eeb1f2426587b6c1dc6627f20d51007beac840ea2b
  • 8933477e82202de97fb41f4cbbe6af32596cec70b5b47da022046981c01506a7
  • 182d6f5821a04028fe4b603984b4d33574b7824105142b722e318717a688969e
  • 90d96bb2aa2414a0262d38cc805122776a9405efece70beeebf3f0bcfc364c2d
  • 740e0d2fba550308344b2fb0e5ecfebdd09329bdcfaa909d3357ad4fe5552532

Threat Landscape

The malware COSMICENERGY is one of many new methods involved in the prominent threat to key national infrastructure. The increase in threats to national infrastructure and use of malware targeting industrial systems is due to the increasing geopolitical tension between nations leading to the increase of state sponsored active persistent threat (APT) groups.

Due to the widespread use of industrial control systems within various operations in CNI, it has become a prominent target for groups as disruption on a national scale can be achieved, if successful.

Threat Group

COSMICENERGY was developed by Rostelecom-Solar, who were seen previously reporting an increase in attacks from Ukrainian groups and has not been seen participating in known malicious activity. The organisation is a subsidiary of the company Rostelecom and operates on a global scale providing managed detection and response services.

Mitre Methodologies


T0807 – Command-Line Interface

Defence Evasion

T1140 – Deobfuscate/Decode Files or Information

Impair Response Function

T0809 – Data Destruction

Impair Process Control

T0855 – Unauthorized Command Message


T0831 – Manipulation of Control

Further Information

COSMICENERGY: New OT Malware Possibly Related To Russian Emergency Response Exercises

Russian company websites hit by increased hacking in March, says cyber firm


Intelligence Terminology Yardstick