Industrial cybersecurity firm Dragos has stated that the recently discovered CosmicEnergy ICS malware, designed to target industrial control systems (ICS), does not currently pose an immediate threat to operational technology (OT). However, organizations should not ignore its presence.
The CosmicEnergy malware, linked to Russia, does not directly threaten operational technology (OT) systems due to coding errors and a lack of maturity.
Key Takeaways on CosmicEnergy ICS Malware:
- CosmicEnergy malware, designed to target industrial control systems (ICS), currently does not pose an immediate threat to operational technology (OT), but organizations should remain vigilant.
- The malware interacts with ICS devices used in electric transmission and distribution, potentially allowing threat actors to manipulate power line switches and circuit breakers remotely.
- Dragos analysis suggests that CosmicEnergy was likely developed for training purposes and lacks the full-fledged attack capabilities of more sophisticated ICS malware.
Details of the CosmicEnergy Malware and Its Components
In May, Mandiant, a company owned by Google, revealed the existence of CosmicEnergy malware, which has the potential to disrupt electric grids.
This malware specifically interacts with ICS devices used in electric transmission and distribution, enabling threat actors to manipulate power line switches and circuit breakers remotely. Mandiant identified CosmicEnergy as a plausible threat to affected electric grid assets.
The malware was linked to Russian threat actors and primarily targeted remote terminal units (RTUs) commonly found in Europe, the Middle East, and parts of Asia. It consists of two main components: LightWork and PieHop.
Analysis by Dragos: Limited Threat and Probable Purpose
Dragos has conducted its own analysis of CosmicEnergy and its components, determining that it does not currently pose an immediate threat to OT systems.
Unlike more advanced ICS malware such as Industroyer (aka CrashOverride) and Industroyer2, used in attacks on Ukraine’s energy sector, CosmicEnergy lacks full-fledged attack capabilities.
Additionally, there is no evidence of the malware being deployed in real-world scenarios. Dragos noted that CosmicEnergy appears to have been designed for training purposes, as it contains hardcoded parameters for targeting specific equipment. In contrast, configurable parameters are typically found in more sophisticated malware.
While Mandiant suggested that the malware may have originated from a contractor at Russian cybersecurity firm Rostelecom-Solar, Dragos also raised the possibility that the code from a red teaming tool was used to create the malware.
Recommendations for Industrial Organizations to Strengthen Security
Although CosmicEnergy may not pose an immediate threat, Dragos advises industrial organizations to take precautionary measures to protect their systems against potential attacks involving this type of malware.
Recommendations include restricting access to and monitoring MS SQL servers. Dragos emphasizes the importance of reassessing firewall rules and configurations, as well as ensuring visibility into ICS protocols traversing the network.
Given the discovery of multiple IEC104 targeted tools, organizations should prioritize implementing robust security postures to enhance the likelihood of detecting and mitigating future attacks.
Conclusion to CosmicEnergy ICS Malware
While CosmicEnergy does not present an immediate risk, industrial organizations should not disregard its presence. Taking proactive steps to strengthen security measures, such as restricting access and monitoring MS SQL servers, is essential to protect against potential attacks involving this type of malware. Ongoing vigilance and reassessment of firewall rules and configurations will help enhance detection and mitigation capabilities against future threats.
