In December 2021, a new strain of malicious software that's engineered to penetrate and disrupt critical systems in industrial environments was uploaded to the VirusTotal public malware scanning utility by a submitter in Russia. Google-owned threat intelligence firm Mandiant dubbed the malware COSMICENERGY. There is no evidence that it has been put to use in the wild. "The malware is designed to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia," the company said. COSMICENERGY is the latest addition to specialized malware like Stuxnet, Havex, Triton, IRONGATE, BlackEnergy2, Industroyer, and PIPEDREAM, which are capable of sabotaging critical systems and wreaking havoc. Mandiant said that there are circumstantial links that it may have been developed as a red teaming tool by Russian telecom firm Rostelecom-Solar to simulate power disruption and emergency response exercises that were held in October 2021. This raises the possibility that the malware was either developed to recreate realistic attack scenarios against energy grid assets to test defenses or another party reused code associated with the cyber range.
top of page
bottom of page