-


 Mandiant Identifies Novel OT Malware: COSMICENERGY


Researchers at Mandiant recently provided the public with an analysis of a recently discovered OT malware they've dubbed COSMICENERGY. The malware was uploaded to a public malware scanner in December of 2021 by someone in Russia. They believe that the malware may have been developed by a contractor for red teaming purposes for simulation of power disruption exercises hosted by Rostelecom-Solar, a Russian cybersecurity consultant company. In their blog post, Mandiant draws comparisons between this new malware and previous OT malwares like INDUSTROYER, like both malwares being deployed to impact electricity transmission and distribution through IEC-104.

COSMICENERGY contains two derivative components: PIEHOP and LIGHTWORK.

PIEHOP is a disruption tool written in Python that is able to connect to remote MSSQL servers for file upload and sending remote commands to a remote terminal unit (RTU). PIEHOPE uses LIGHTWORK to issue "ON" or "OFF" IEC-104 commands to the system before then deleting the executable.

LIGHTWORK is a disruption tool written in C++ that uses the IEC-104 protocol to change RTU states via TCP. Per Mandiant, "It crafts configurable IEC-104 Application Service Data Unit (ASDU) messages, to change the state of RTU Information Object Addresses (IOAs) to ON or OFF".


Some internal reconnaissance would be required to successfully execute COSMICENERGY as it doesn't seem to contain any discovery functionalities. The MSSQL IP address and credentials, as well as, the target IEC-104 device's IP address would need to be known prior to execution.

Russian State-Funded Exercise?

Mandiant researchers were able to find a comment in the code during their analysis that indicated the sample was using a module associated with a "Solar Polygon" project. Further investigation into this project name uncovered a match to a cyber range (aka polygon) developed by Rostelecom-Solar. This company is a Russian cybersecurity company who recently received a subsidy to train cybersecurity personnel and to conduct electric power disruption exercises. Mandiant believes, with seemingly medium confidence, that the malware may have been developed by Rostelecomm-Solar or associates to simulate actual electrical grid attacks.

Capabilities and Similarities

The blog post points out that the COSMICENERGY code and functionalities do not directly overlap with existing, or previously observed, OT malware but it's capabilities are comparable to those seen in previous incidents. They specifically point to INDUSTROYER and INDUSTROYER.V2, which was also used in the past to attack electricity transmission and distribution. "COSMICENERGY also has notable technical similarities with other OT malware families that have been developed or packaged using Python or that have utilized open-source libraries for OT protocol implementation, including IRONGATE, TRITON, and INCONTROLLER".

Mandiant highlights the following trends that could make their way into future OT malwares:
  • "Abuse of insecure by design protocols"
  • "Use of open-source libraries for protocol implementation"
  • "Use of Python for malware development and/or packaging"

See the full Mandiant blog post for the technical analysis of the COSMICENERGY components, IOCs, as well as their final thoughts. 


Comments

Post a Comment

Popular posts from this blog

-
Image
ESET's APT Activity Report Q4 2023-Q1 2024 summarizes observations of various advanced persistent threat (APT) groups documented by ESET researchers between October 2023 and March 2024. Their observations highlight the broader threat landscape investigated during this period of time and details trends, developments and tooling used by these threat actors. The public report proclaims to contain a fraction of what private ESET customers receive. China Chinese-aligned cyber espionage groups have traditionally targeted public facing applications for obtaining initial access on a target network. In many campaigns investigated by ESET and others, the groups leveraged one-day vulnerabilities against a range of appliances and software including VPNs, firewalls, Confluence, Exchange, and others. See ESETs report linked below for their detailed analysis on Chinese threat activity.  Middle East According to ESET's research, a potentially Iranian-aligned threat group BladedFeline continued...
Read more

Russian GRU Unit 29155 recent operations

-
Image
Background Russian GRU military intelligence Unit 29155 (aka Cadet Blizzard, Ember Bear, FrozenVista, UNC2589) is a covert subunit of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), primarily tasked with conducting high-stakes and clandestine operations abroad. Established under the GRU, Unit 29155 gained public attention due to its involvement in activities that align with Russia's asymmetric warfare objectives, particularly in Europe, Ukraine, and NATO-affiliated regions. Unit 29155 operates in several domains, from traditional espionage and sabotage to cyber operations. Figure 1 WANTED: GRU Unit 29155 [1] Unit 29155 has significantly intensified operations since 2020, pivoting from covert actions in Europe toward a greater emphasis on cyber operations with a focus on undermining Ukraine and NATO allies through espionage, data manipulation, and sabotage. Primary TTPs Espionage and Data Theft Unit 29155 conducts extensive espionage ca...
Read more
-
Image
Microsoft recently released their findings after a lengthy investigation into activity conducted by the Russian state-sponsored APT28 group using a unique tool for privilege escalation and credential harvesting on victim networks. Microsoft refers to the custom tool as GooseEgg and claim that the group has been observed leveraging this tool since at least June 2020. GooseEgg The custom toolset leverages CVE-2023-38208 in the Windows Print Spooler service which changes a JavaScript constraints file and executes it with SYSTEM permissions. Based on their findings, Microsoft believes GooseEgg is deployed after initial access to elevate access to targeted systems with the end goal of harvesting credentials and data. Unsurprisingly, targeting includes Ukrainian, Western European and North American entities across several sectors including government, non-government, education and transportation. After initial access of victim device, researchers observed APT28 deploying GooseEgg to escalate...
Read more