Mandiant identified COSMICENERGY, a novel OT/ICS-oriented malware designed to disrupt electric power by interacting with IEC 60870-5-104 devices (RTUs) used in power transmission and distribution. The malware appears tied to red-team activities linked to Rostelecom-Solar, with similarities to INDUSTROYER variants, and highlights how attackers may leverage publicly available tooling to threaten OT assets. #COSMICENERGY #RostelecomSolar #SolarPolygon #INDUSTROYER #SPIEF
Keypoints
- COSMICENERGY is an OT/ICS-oriented malware set aimed at disrupting power by issuing IEC-104 ON/OFF commands to RTUs.
- The malware was uploaded to a public malware scanning utility in December 2021 by a submitter in Russia, with potential links to Rostelecom-Solar.
- The toolkit consists of PIEHOP (Python-based, PyInstaller-packaged) and LIGHTWORK (C++), which together enable remote MSSQL-based command delivery to RTUs and IEC-104 manipulation.
-
MITRE Techniques
- [T0831] Manipulation of Control – LIGHTWORK modifies the state of RTU IOAs to ON or OFF using IEC-104, enabling disruption of physical control. “LIGHTWORK … implements the IEC-104 protocol to modify the state of RTUs over TCP. It crafts configurable IEC-104 ASDU messages, to change the state of RTU Information Object Addresses (IOAs) to ON or OFF.”
- [T0855] Unauthorized Command Message – PIEHOP/LIGHTWORK workflow issues IEC-104 commands to RTUs to perform actions beyond normal operation. “LIGHTWORK utilizes positional command line arguments for target device, port, and IEC-104 command.”
- [T0807] Command-Line Interface – The tooling relies on CLI arguments to set target device, port, and command. “LIGHTWORK utilizes positional command line arguments for target device, port, and IEC-104 command.”
- [T0809] Data Destruction – The sample exhibits self-deletion behavior after execution, reducing forensic traces. “and then immediately deletes the executable after issuing the command.”
- [T1140] Deobfuscate/Decode Files or Information – MITRE technique referenced in context of tool packaging and analysis around PyInstaller-based components. “Deobfuscate/Decode Files or Information” describes hiding artifacts; MITRE content is cited in Appendix E of the article.
Indicators of Compromise
- [File Name] context – r3_iec104_control.exe, r3_iec104_control, r3_iec104_control.py, iec104_mssql_lib.pyc, iec104_mssql_lib.py, OT_T855_IEC104_GR.exe
- [File Name] context – PIEHOP command-line example images and related components (e.g., PIEHOP main entry points and decompiled scripts)
- [Hash] context – MD5: cd8f394652db3d0376ba24a990403d20, MD5: f716b30fc3d71d5e8678cc6b81811db4
- [Hash] context – SHA1: bc07686b422aa0dd01c87ccf557863ee62f6a435, SHA1: e91e4df49afa628fba1691b7c668af64ed6b0e1d
- [Hash] context – SHA256: 358f0f8c23acea82c5f75d6a2de37b6bea7785ed0e32c41109c217c48bf16010, SHA256: 7dc25602983f7c5c3c4e81eeb1f2426587b6c1dc6627f20d51007beac840ea2b
- [IOA Addresses] context – eight hardcoded IEC-104 IOA addresses used by LIGHTWORK (exact values not disclosed in the report)
- [IP/Network] context – MSSQL server IP addresses used for the remote upload/command channel (internal reconnaissance required to identify specific addresses)
Read more: https://www.mandiant.com/resources/blog/cosmicenergy-ot-malware-russian-response