This program has been compared to the capabilities of malware known as Industroyer and Industroyer2. Researchers associate the last two names with Sandworm, one of the Kremlin’s most skilled hacking groups.

what is known

• In December 2016, Sandworm used Industroyer to cause a power outage in Kiev. As a result, much of the city was left without electricity for an hour.
• A year ago, in 2015, 225,000 Ukrainians were connected to the Internet using the same method for six hours.
• A new version of Industroyer2 came out last year. The program is believed to have been used in a third attack on Ukrainian power grids, but was discovered and stopped without success.

These attacks demonstrated the vulnerability of the electrical infrastructure and Russia’s increasing ability to use the attacks. Industroyer was distinguished by its excellent mastery of secret industrial processes used by Ukrainian power grid operators. He “talked” to these systems to instruct them to de-energize and then re-energize substation lines. The Industroyer can send commands to circuit breakers using any of the four industrial control system protocols. The malware also contained a component that disables safety devices known as protective relays, which automatically turn off power when unsafe conditions are detected that could cause catastrophic physical damage to equipment.

The researchers at Mandiant, who discovered CosmicEnergy, write:

“COSMICENERGY is the latest example of proprietary malware that can cause cyber-physical effects that are rarely detected or disclosed. COSMICENERGY is unique in that, according to our analysis, the contractor developed it as a tool for power outage training. Russian cybersecurity company Rostelecom-Solar Evil Analysis of the malware and its functionality shows that its capabilities are comparable to those used in previous incidents, and the variants of malware such as INDUSTROYER and INDUSTROYER.V2 have been used in the past to affect the transmission and distribution of electrical power according to the IEC-104 standard.

The discovery of COSMICENERGY helps to reduce barriers to developing offensive assets. [у сфері атак на енергоінфраструктуру] It declines as attackers use information from previous attacks to develop new malware. Given that attackers use red teaming tools and public frameworks for targeted activities in real-world environments, we believe COSMICENERGY poses a real threat to affected utility assets. Facility owners using IEC-104 compliant devices should take steps to prevent possible deployment of COSMICENERGY in real-world environments.”.

For now, this link is implicit and mostly limited to hints in code indicating that it is running software developed for Kremlin-sponsored exercises. According to the theory that CosmicEnergy is used in so-called Red Team exercises that simulate hostile hacking attacks, the malware has no way of infiltrating the network to obtain the peripheral information needed to carry out the attack. This program code contains hard-coded addresses of information objects usually associated with power line switches or circuit breakers, but these mappings need to be configured for a specific attack as they vary from manufacturer to manufacturer.

“Therefore, the specific actions an attacker plans to take remain unclear without additional information about the target objects”– Write mandiant researchers.