Alleged Russian CosmicEnergy Malware Potentially Affects Power Grids in Europe and Asia

Description

FortiGuard Labs is aware of a report that a new malware "CosmicEnergy" designed to disrupt electric power systems was discovered. CosmicEnergy was specifically crafted to target IEC-104-compliant Remote Terminal Units (RTUs) used to control power transmission and distribution in Europe and Asia.


Why is this Significant?

This is significant because the new malware "CosmicEnergy" is capable of interacting with the devices responsible for managing power grids leading to potential power outages. Reportedly, potentially affected devices are primarily located in Europe, the Middle East and Asia.


What is CosmicEnergy?

CosmicEnergy is a new malware that is designed to disrupt devices used for managing power grids. Reportedly the malware may have been developed as a red team tool by a Russian cyber security company for power disruption drills.

CosmicEnergy consists of two components: one is PIEHOP designed to access a MSSQL server within the victim's network and upload files to the server, the other is LIGHTWORK used capable of sending commands via the IEC-104 protocol to the connected Remote Terminal Units (RTUs).

Note to successfully carry out the attack using CosmicEnergy, attackers are required to have various credentials beforehand, such as logins and IP addresses of the target MSSQL server, which considerably raises the attack hurdle.


How WideSpread is CosmicEnergy?

FortiGuard Labs is not aware of any reports of CosmicEnergy used in the wild.


What is the Status of Coverage?

FortiGuard Labs has the following AV signatures in place for the PIEHOP installer and LIGHTWORK samples called out in the report:

  • W32/Agent.HOP!tr
  • W32/Agent.ORK!tr

description-logoOutbreak Alert

A new malware called CosmicEnergy has been discovered that targets operational technology sector. According to the reports, the malware is designed to cause electric power disruption by exploiting IEC 60870-5-104 (IEC-104) protocol, which are commonly used in electric transmission and distribution operations in Europe, the Middle East, and Asia.

View the full Outbreak Alert Report