• Fri. Oct 13th, 2023

Emergency Drill Connection: Unveiling the Link to COSMICENERGY Malware

Avatar photo

ByEsme Greene

Aug 9, 2023
Emergency Connection: COSMICENERGY Link
Esme Greene
Latest posts by Esme Greene (see all)

A new virus called CosmicEnergy was recently uncovered by security experts at Mandiant. This malicious software, which has been connected to the IS firm Rostelecom-Solar, was created deliberately to disrupt industrial systems.

Targeting IEC-104 RTUs: unveiling CosmicEnergy’s functionality

The IEC-104-compliant Remote Terminal Units (RTUs) are the CosmicEnergy malware’s main target. Throughout Europe, the Middle East, and Asia, these RTUs are widely employed in electricity transmission and distribution activities.

The existence of CosmicEnergy came to light when a sample of the malware was uploaded to VirusTotal in December 2021. Intriguingly, the upload was made by a user with a Russian IP address. Through a thorough analysis of the sample, researchers were able to unveil several key aspects related to CosmicEnergy and its functionalities.

Once the attackers gain access to the victim’s network, they can take remote control of the RTUs by issuing IEC-104 commands, such as “ON” or “OFF.” This control is facilitated through the use of the Lightwork malware tool.

A potential Red Team tool for critical infrastructure attacks

According to Mandiant, the identified malware, CosmicEnergy, may have been developed as a Red Team tool intended to replicate the actions of Rostelecom-Solar’s IS. Moreover, experts at Mandiant suspect that this malware could also be exploited by hackers for conducting destructive cyberattacks on critical infrastructure, similar to other Red Team tools.

Despite admitting that there isn’t enough information to pinpoint the source or function of CosmicEnergy, the experts at Mandiant think that Rostelecom-Solar or a connected entity may have been responsible for its development. Its invention may have been primarily motivated by the need to model actual attacks on the components of the power system.

IEC Telecontrol Equipment and Systems Standard IEC 60870-5, which incorporates the IEC-104 standard, is essential. With the help of this standard, two systems in the fields of electrical engineering and system automation can communicate in order to exchange crucial signals. IEC 101 messages are sent as application data (L7) via the 2404 port by the IEC-104 standard, which uses the IEC 101 network access transport characteristics. Using a client/server network and a conventional TCP/IP protocol, it facilitates interaction between the control station and the substation.

Avatar photo

Esme Greene

Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.