Researchers have spotted CosmicEnergy of Russian make that is capable of shutting industrial machines. It was uploaded by a Russian user back in December 2021.
The tool may have been designed for a power disruption red-team exercise hosted by the Russian cybersecurity company Rostelecom-Solar.
CosmicEnergy poses a plausible threat to affected electric grid assets, its ability to manipulate a type of industrial control device called a remote terminal unit (RTU)
An RTU is a special type of industrial controller that uses telemetry to interface between industrial machines and their control systems. Its function is relatively simple, receiving data and passing it on for analysis, but, crucially, it’s capable of toggling automated industrial processes on and off.
CosmicEnergy is modeled after Industroyer the first malware designed to take down an electric grid, particularly Industroyer’s newest variant, deployed last year by the Russian APT Sandworm in an attack against Ukraine.
An attacker could cause power disruption simply using CosmicEnergy, sending a command to trip a power-line switch or circuit breaker. It achieves this with two components.
- PieHop is a Python-based tool that connects an attacker-controlled MSSQL server with an RTU at a targeted industrial site.
- Lightwork, a C++-based tool, to take advantage of an RTU’s toggling capabilities, modifying the state of the RTU before erasing the executable from the targeted system.
Industrial machines are often designed to operate in trusted environments, without security in mind, due to age, complexity, and other factors. Often, their features are the very functions detailed in their manuals that could, in a security context, be construed as vulnerabilities.
There’s such an openness to these otherwise critical devices, defending against CosmicEnergy or Industroyer or Triton, for that matter requires consideration and proactiveness.
This research was documented by researchers from Mandiant.