Over the last week researchers at Mandiant have released detailed information about a possible new threat to operational technology (OT) environments, specifically those in the energy sector, in the form of a new industrial control systems (ICS) focussed malware, which they have named COSMICENERGY. At present, this malware has not been seen in the wild, but concerns over potential impacts is why Mandiant are releasing this information now. It provides detailed intelligence so organisations can track and monitor for the development of this new threat.
COSMICENERGY is based on similar previous threats INDUSTROYER and INDUSTROYER.V2 in its use of SQLServer (which can be found on many OT Historian devices) and leverages IEC-104 compliant devices to shut down electrical power transmission. The main difference, however, is that it appears COSMICENERGY was produced by a cyber security company (Rostelecom-Solar), as a red teaming tool for testing and training purposes, rather than a nation state actor. This being said, Rostelecom-Solar were paid by the Russian government to provide training for cyber security professionals, and COSMICENERGY became part of the training package.
Assessing how COSMICENERGY is designed demonstrates the three-stage process that would be needed for a successful attack to take place. Firstly, a host needs to be compromised in the network. Secondly, this compromised host will use TCP-1433, the SQL port to allow the first part of the malware known as PIEHOP to activate. which is a Python written package. Thirdly, it will utilise the LIGHTWORK the last part of the malware, a tool written in C++ that can communicate over a protocol IEC-104 allowing it to talk to remote terminal units (RTUs). This can change the state of these to ‘on’ or ‘off’, which could impact the status of electrical supply, cutting power to millions.
Fortunately, for organisations, there is the need for some additional work from any attacker. The product itself does not have discovery capabilities, meaning the attacker would need to profile the internal network themselves to locate an SQL Server and discover the RTUs to be able to launch a successful attack. Additionally, there are some errors in the coding of PIEHOP which means without extra work it is not possible to execute the change on an RTU via IEC-104, though this would not be difficult to update the code to rectify the problem.
Overall, COSMICENERGY uses similar tactics to IDUSTROYER, but it also follows the processes used by IRONGATE, TRITON and INCONTROLLER. All of these were designed to target OT environments, by using insecure OT protocols (like IEC-104) and have used Python based coding and packaging like PyInstaller and Py2Exe. This shows that the barrier to entry into attacking an OT environment is lowering, as existing models can be used to start building malware to target, and breach an organisation. The level of expertise required is gradually decreasing as more of these packages are created and are in the public domain.
With all this bad news what should organisations do to help protect themselves, and build resilience from this new threat? Firstly, ensuring that where possible, log collection is occurring and monitor these for evidence of Python scripts or unauthorised code execution as an initial sign of a potential attack. Also, organisations should check for any activity linked to PyInstaller or Py2Exe executables, as well as any MSSQL Servers that have access to OT systems for any anomalous activity or unauthorised connections.