Researchers uncover Russia-Linked malware that could immobilize electric grids:
Security researchers have discovered new industrial control system malware, dubbed "CosmicEnergy," which they say could be used to disrupt critical infrastructure systems and electric grids.
The malware was uncovered by researchers at Mandiant, who have likened CosmicEnergy's capabilities to the destructive Industroyer malware that the Russian state-backed "Sandworm" hacking group used to cut power in Ukraine in 2016.
Unusually, Mandiant says it uncovered CosmicEnergy through threat hunting and not following a cyberattack on critical infrastructure. The malware was uploaded to VirusTotal, a Google-owned malware and virus scanner, in December 2021 by a submitter based in Russia, according to Mandiant. The cybersecurity company's analysis shows that the malware may have been developed by Rostelecom-Solar, the cybersecurity arm of Russia's national telecom operator Rostelecom, to support exercises such as the ones hosted in collaboration with the Russian Ministry of Energy in 2021.
"A contractor may have developed it as a red teaming tool for simulated power disruption exercises hosted by Rostelecom-Solar," Mandiant said. "However, given the lack of conclusive evidence, we consider it also possible that a different actor — either with or without permission — reused code associated with the cyber range to develop this malware."
Mandiant says that not only do hackers regularly adapt and make use of red team tools to facilitate real-world attacks, but its analysis of CosmicEnergy reveals that the malware's functionality is also comparable to that of other malware variants targeting industrial control systems (ICS), such as Industroyer, thus posing a "plausible threat to affected electric grid assets."
Mandiant tells TechCrunch that it has not observed any CosmicEnergy attacks in the wild and notes that the malware lacks discovery capabilities, which means hackers would need to perform some internal reconnaissance to obtain environment information, such as IP addresses and credentials, before launching an attack.
However, the researchers added that because the malware targets the IEC-104, a network protocol commonly used in industrial environments that was also targeted during the 2016 attack on Ukraine's power grid, CosmicEnergy poses a real threat to organizations involved in electricity transmission and distribution.
[...] In light of the report, the U.S. government said it was working with its Five Eyes partners to identify potential breaches. Microsoft says the group has attempted to access organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.
(Score: 1, Touché) by Anonymous Coward on Monday May 29 2023, @06:50PM (1 child)
Is that what we call free labor now? Threat Hunting?
Mandiant didn't _find_ anything. They were told "look at this thing I found" by a volunteer, and now they are taking credit for it. If Mandiant calls that hunting, they'd never make it out of the stone age because they'd have died from hunger.
(Score: 2) by gznork26 on Monday May 29 2023, @08:11PM
I guess that 'hunting' happened in their virtual in-box.
Khipu were Turing complete.
(Score: 1, Troll) by Mojibake Tengu on Monday May 29 2023, @10:25PM
This article information is rather deliberately incomplete.
The said exercise in 2021 was the Cyber Polygon 2021. Cyber Polygon organization itself is a spawn of WEF, World Economic Forum. You know, Klaus Schwab and the gang "own nothing, be happy, eat bugs" stuff.
Rostelecom was only part of this exercise, as well as was IBM, ICANN, dozens of Western and Russia banks, many classical IT, industrial and energy corporations and dozens of government/national cybersecurity organizations of many nations all over the world. Including Google.
Every one of them knows every single thing about that "malware", from protocols.
The reasearchers who "uncovered" it lately must be total
idiotsignorants.Respect Authorities. Know your social status. Woke responsibly.
(Score: 4, Insightful) by MIRV888 on Tuesday May 30 2023, @12:55AM (1 child)
I worked in natural gas supply for our city for 3 years. All the supply and distro valves were controlled from a single control center. At night it was manned by a single engineer. If an attacker gained control of the valves via that control system, they could literally destroy a large part of the natural gas supply system for the city. Dumping a 700 psi supply main on a 220psi distribution ring would begin destroying equipment very quickly. If a knowledgeable attacker could dump 700 to residential distribution at 30 psi (it is possible to do remotely), entire neighborhoods would be in deep shit. Relief valves on a 30 psi system could not accommodate 700 psi and more stuff would start breaking / burning. Penetrated utilities are no joke.
(Score: 2, Interesting) by Anonymous Coward on Tuesday May 30 2023, @08:00AM
I do not mean to take away from your very valuable points and argument because it is legit, but I want to focus attention to another often overlooked area:
What was the physical security like for that control system, which is manned by a single engineer? Is it easier to get in there and just start mucking with the controls or is it easier to cyber your way into it?