Deadly Russian Malware With Impact Against the Industrial Power Grid

Russian-linked malware, 'CosmicEnergy,' when analyzed by Mandiant researchers found it was designed with capabilities to impact power grids. CosmicEnergy was spotted on VirusTotal with an upload date in December 2021, by a Russian submitter based on the IP address. "The malware is designed to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia," said Manidant. A review of the malware found it’s Python-based and resembles destructive malware deployed against Ukraine energy companies, Industroyer in December 2016, and Industroyer.V2 in April 2022. The deployment of CosmicEnergy is suspected to be conducted through exploiting MSSQL servers. "Leveraging this access, an attacker can send remote commands to affect the actuation of power line switches and circuit breakers to cause power disruption." With dangerous implications against crucial energy supplies, OT malware poses a significant risk in the threat landscape.