Mandiant is reporting a new specialized Operational Technology (OT) malware being observed under the name COSMICENERGY. The malware targets remote terminal units (RTUs) and could cause power outages.
According to Mandiant, the COSMICENERGY malware is designed to cause power outages. To do this, the malware interacts with remote terminal units (RTUs), which are commonly used for power transmission and distribution in Europe, Asia and the Middle East.
European power distributors at risk
Mandiant suspects that a contractor of Russian cybersecurity firm Rostelecom-Solar may have developed the malware as part of a red teaming tool to simulate power outages. According to public sources, Rostelecom-Solar received subsidies from the Russian government in 2019. This was to train cybersecurity experts and conduct drills on power outages and emergency response.
With threat actors using Red Team tools and public exploitation frameworks to launch targeted cyberattacks in the wild, Mandiant believes COSMICENERGY poses a "reasonable threat to affected power assets."
Analysis of the malware and how it works shows the following results:
- COSMICENERGY is similar to the features observed in INDUSTROYER and INDUSTROYER.V2.
- COSMICENERGY shares clear technical similarities with other OT malware families such as IRONGATE, TRITON and INCONTROLLER.
- These observations suggest that the barriers to entry for offensive OT threats are getting lower.
Mandiant offers an English-language blog post on the subject.
More at Mandiant.com
About Mandiant Mandiant is a recognized leader in dynamic cyber defense, threat intelligence and incident response. With decades of experience on the cyber frontline, Mandiant helps organizations confidently and proactively defend against cyber threats and respond to attacks. Mandiant is now part of Google Cloud.