Google’s Mandiant, a threat intelligence firm, has discovered a new strain of malware called COSMICENERGY. This malicious software is designed to infiltrate and disrupt critical systems in industrial environments. COSMICENERGY was uploaded to a public malware scanning utility in December 2021 by a sender in Russia. Although there is no evidence of its use in the wild, its design bears similarities to other specialized malware such as Stuxnet, Havex, Triton, IRONGATE, BlackEnergy2, Industroyer, and PIPEDREAM.
Circumstantial evidence suggests that COSMICENERGY was developed by the Russian telecommunications company Rostelecom-Solar as a tool for power outage simulations and emergency response exercises that took place in October 2021. This raises the possibility that the malware was created to recreate realistic attack scenarios against electrical grid systems to test defenses, or that another entity has repurposed the code for more malicious use.
The COSMICENERGY malware has the ability to exploit an industrial communication protocol known as IEC-104 to issue commands to remote terminal units (RTU). These commands can be used to alter the performance of power line switches and circuit breakers, resulting in power outages. This is achieved with the help of two components, PIEHOP and LIGHTWORK, two disruption tools written in Python and C++ respectively.
The discovery of COSMICENERGY underscores several important developments in the OT (operational technology) threat landscape. It poses an immediate threat to affected organizations, as such discoveries are uncommon. Additionally, the malware primarily takes advantage of insecure features by design in OT environments, which are unlikely to be remedied in the near future. This discovery highlights the urgent need to improve security in critical infrastructure and to remain on constant guard against emerging cyber threats.
Source: Hackernews
To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net or you can try your self using check.website.