https://bit.ly/3IGH6KB - 🔍 Mandiant has identified a new operational technology (OT) malware dubbed COSMICENERGY, which was uploaded to a public malware scanning utility in December 2021 from Russia. The malware aims to disrupt electric power by interacting with IEC 60870-5-104 devices like remote terminal units, commonly used in Europe, the Middle East, and Asia's electric transmission and distribution operations. #CyberSecurity #Malware #COSMICENERGY 🛠️ COSMICENERGY's capabilities are similar to those used in previous incidents, such as the INDUSTROYER malware. Interestingly, a contractor may have developed COSMICENERGY as a red teaming tool for simulated power disruption exercises hosted by Rostelecom-Solar, a Russian cybersecurity company. Such development signifies a lowered entry barrier for developing offensive OT capabilities. #CyberThreats #RedTeaming #RostelecomSolar ⚡ The attack strategy and capabilities of COSMICENERGY are reminiscent of the 2016 INDUSTROYER incident. It utilizes two components, PIEHOP and LIGHTWORK, to interact with RTUs, affecting the actuation of power line switches and circuit breakers, causing power disruption. However, COSMICENERGY lacks discovery capabilities, implying a need for internal reconnaissance to obtain environment information for a successful attack. #CyberAttack #PIEHOP #LIGHTWORK 🔎 COSMICENERGY could be associated with Russian government-funded power disruption and emergency response exercises, as the code sample refers to a project named “Solar Polygon,” developed by Rostelecom-Solar. However, the lack of concrete evidence leaves the actual purpose of COSMICENERGY uncertain. #RussianCyberSecurity #SolarPolygon 🔁 COSMICENERGY shares similarities with previous OT malware like INDUSTROYER, IRONGATE, TRITON, and INCONTROLLER. With open-source libraries and Python for malware development becoming more commonplace, such trends may manifest in future OT malware. #OTMalware #OpenSource #Python 🛡️ While COSMICENERGY's capabilities aren't notably different from previous OT malware, its discovery is significant. It presents an immediate threat to affected organizations and highlights a lowering of barriers to entry for offensive OT threat activity. Therefore, it is crucial for OT defenders and asset owners to take preventive action against COSMICENERGY to preempt possible deployment.