Unearthed: CosmicEnergy, Malware For Causing Kremlin-Style Power Disruptions (arstechnica.com) 45
An anonymous reader quotes a report from Ars Technica: Researchers have uncovered malware designed to disrupt electric power transmission and may have been used by the Russian government in training exercises for creating or responding to cyberattacks on electric grids. Known as CosmicEnergy, the malware has capabilities that are comparable to those found in malware known as Industroyer and Industroyer2, both of which have been widely attributed by researchers to Sandworm, the name of one of the Kremlin's most skilled and cutthroat hacking groups.
Researchers from Mandiant, the security firm that found CosmicEnergy, wrote: "COSMICENERGY is the latest example of specialized OT malware capable of causing cyber physical impacts, which are rarely discovered or disclosed. What makes COSMICENERGY unique is that based on our analysis, a contractor may have developed it as a red teaming tool for simulated power disruption exercises hosted by Rostelecom-Solar, a Russian cyber security company. Analysis into the malware and its functionality reveals that its capabilities are comparable to those employed in previous incidents and malware, such as INDUSTROYER and INDUSTROYER.V2, which were both malware variants deployed in the past to impact electricity transmission and distribution via IEC-104. The discovery of COSMICENERGY illustrates that the barriers to entry for developing offensive OT capabilities are lowering as actors leverage knowledge from prior attacks to develop new malware. Given that threat actors use red team tools and public exploitation frameworks for targeted threat activity in the wild, we believe COSMICENERGY poses a plausible threat to affected electric grid assets. OT asset owners leveraging IEC-104 compliant devices should take action to preempt potential in the wild deployment of COSMICENERGY."
Right now, the link is circumstantial and mainly limited to a comment found in the code suggesting it works with software designed for training exercises sponsored by the Kremlin. Consistent with the theory that CosmicEnergy is used in so-called Red Team exercises that simulate hostile hacks, the malware lacks the ability to burrow into a network to obtain environment information that would be necessary to execute an attack. The malware includes hardcoded information object addresses typically associated with power line switches or circuit breakers, but those mappings would have to be customized for a specific attack since they differ from manufacturer to manufacturer. "For this reason, the particular actions intended by the actor are unclear without further knowledge about the targeted assets," Mandiant researchers wrote.
Researchers from Mandiant, the security firm that found CosmicEnergy, wrote: "COSMICENERGY is the latest example of specialized OT malware capable of causing cyber physical impacts, which are rarely discovered or disclosed. What makes COSMICENERGY unique is that based on our analysis, a contractor may have developed it as a red teaming tool for simulated power disruption exercises hosted by Rostelecom-Solar, a Russian cyber security company. Analysis into the malware and its functionality reveals that its capabilities are comparable to those employed in previous incidents and malware, such as INDUSTROYER and INDUSTROYER.V2, which were both malware variants deployed in the past to impact electricity transmission and distribution via IEC-104. The discovery of COSMICENERGY illustrates that the barriers to entry for developing offensive OT capabilities are lowering as actors leverage knowledge from prior attacks to develop new malware. Given that threat actors use red team tools and public exploitation frameworks for targeted threat activity in the wild, we believe COSMICENERGY poses a plausible threat to affected electric grid assets. OT asset owners leveraging IEC-104 compliant devices should take action to preempt potential in the wild deployment of COSMICENERGY."
Right now, the link is circumstantial and mainly limited to a comment found in the code suggesting it works with software designed for training exercises sponsored by the Kremlin. Consistent with the theory that CosmicEnergy is used in so-called Red Team exercises that simulate hostile hacks, the malware lacks the ability to burrow into a network to obtain environment information that would be necessary to execute an attack. The malware includes hardcoded information object addresses typically associated with power line switches or circuit breakers, but those mappings would have to be customized for a specific attack since they differ from manufacturer to manufacturer. "For this reason, the particular actions intended by the actor are unclear without further knowledge about the targeted assets," Mandiant researchers wrote.
Paranoia (Score:1)
Industroyer
Re: (Score:3)
Industroyer
I believe a fair measure of the creativity of those names are how well they would work as band names and I think that one is pretty good. CosmicEnergy not so much, it's been done and they only released one album https://www.discogs.com/artist... [discogs.com]
Re: (Score:3)
Re: (Score:2)
"But yeah, developing a malware against power grids is crossing a red line russia is not willing to do, _obviously_."
Yet. It will only take the prospect of a Ukrainian victory before the Great Putini figures he has nothing left to lose.
Re: (Score:2)
"But yeah, developing a malware against power grids is crossing a red line russia is not willing to do, _obviously_."
Yet. It will only take the prospect of a Ukrainian victory before the Great Putini figures he has nothing left to lose.
Considering Ukraine just sank another Russian warship [cnn.com] and seriously damaged at least two others, victory is coming closer.
Re: (Score:1)
You folks will just believe anything. Even your own CNN article's headline is "Ukraine claims..." The words 'sank' or 'sunk' don't even appear once. It doesn't help to just lie all the time.
Re: (Score:2)
You folks will just believe anything. Even your own CNN article's headline is "Ukraine claims..." The words 'sank' or 'sunk' don't even appear once. It doesn't help to just lie all the time.
Remember when Ukraine said it sank the Moskva and Russia denied it? Remember how we've never seen another picture of the Moskva or heard from any of its crew? Yeah, that was awesome.
Re: (Score:1)
Oh look, here's confirmation from an independent source that the ship "Ukraine claimed" to have destroyed is fine. With pictures and video.
https://twitter.com/sentdefend... [twitter.com]
Don't worry though, Ukraine is winning!!!
Re: (Score:2, Interesting)
Russia has a record of hybrid warfare, including attacks on multiple entities of infrastructure in many Western countries. One of the more recent ones was a cyber attack on the German public transit.
I'm not seeing it, so reading material would be welcome. I do know that they didn't pioneer the "cyber attack on infrastructure" trick. The US ( boobytrapped tech to sabotage gas pipelines [washingtonpost.com]) and the US plus Israel (stuxnet [wikipedia.org]) are just two examples.
Also, it is currently waging an unprovoked war invading Ukraine,
Not unprovoked at all, anybody with eyes to see saw it coming years away. But do keep on repeating that party line talking point, do keep embiggening the lie, eh.
No, I'm not saying they're justified. I'm saying they weren't unprovoked. There is a difference and it is
Re: (Score:1)
Both of you fail reading comprehension again. GP doesn't say appeasing is the way.
Me, I think Russia ought to've been admitted in NATO, well before Putin ascended to power. That would have solved their strategic security problems, and would have made all the other expansion not a problem. As it is, the expansion is problematic and Russia was explicitly promised that would never happen. Repeatedly. Quite a few times, in fact. Right from the German reunification back in 1990. So yeah, NATO and the US in part
Re:Paranoia (Score:4, Interesting)
Whether Russia has a record of "hybrid warfare" depends on what you count and who you believe. It can be either very aggressive or rather passive, depending on that. Did they attach the German public transit? Are the various "private groups" agents of the Russian government? Did they actually do what various groups claim?
I don't think there's a reasonable basis (for me...or most people) to decide one way or another on those questions. But it's certainly not unreasonable to believe that Russia has been aggressively attacking various western countries in various different ways for over a decade. (It's also not unreasonable to doubt a lot of those reports.)
Re: (Score:1)
It's pretty amazing how out-and-out propaganda tends to get modded up here on /. these days, but comments like yours, which gets worded in as neutral and accommodating fashion as possible, ends up getting modded down as flaimbait or troll more often than not.
Re: (Score:2)
Just because you could see it coming doesn't mean it was provoked.
rant (Score:2)
please, mod this rant down, someone. Thanks!
Re: (Score:2)
Man, nobody got The Kinks reference. Oh well.
Re: (Score:1)
Bravo, Ivan, super believable.
Re: (Score:2)
Sounds more like the plot to a James Bond movie.
Re: (Score:2)
Sounds more like the plot to a James Bond movie.
Only if there's a nuke or space laser involved.
Re: (Score:2)
It sounds more like the plot from the 2003 movie "The Recruit" (https://en.wikipedia.org/wiki/The_Recruit_(film)) which involves "a highly sensitive computer virus called "ICE-9" because it transmits via the electrical grid rather than telecommunications and is easily capable of disabling all electrical devices on the planet instantly".
Re: (Score:1, Troll)
The real difference is that the CIA will still be here in ten years while the russia will be only be seen in history books.
Re: (Score:2)
Russia isn't going to decide shit. They've made that obvious when they invaded Ukraine. Might as well talk to the Chinese directly, the future masters of that back country vassal state. You've fucked yourself.
Re: (Score:2)
The US and NATO should've kept their word
The idea that there was a promise not to add countries to NATO is a stupid one, repeated by stupid people [nato.int].
or at least invited Russia to NATO
Russia made it clear that they would only join NATO under unacceptable conditions [wilsoncenter.org] decades ago. Putin faked an attempt to join in 2000 [trtworld.com] but did not in fact actually apply for membership.
Re: (Score:1)
Various regimes have been saying that for what, 700 years?
Re: (Score:3)
Re: (Score:2)
You got it slightly wrong, Vlad. Whenever Kremlin denies something, it can be considered a confirmation.
Yup. Remember how Russia said they destroyed all three of the drone ships which were sent to attack the Ivan Hurs? How none of them got through. Funny that [twitter.com].
You'll also note, not a single picture of the Ivan Hurs has been shown since the attack. Wonder why.
Re: (Score:2)
Yep, this slashvertisement is step one in a false flag attack on our power grid. Pointing the finger before the event even happens.
OT stands for "operational technology" (Score:3)
just to save time for those who are not familiar with this area...
Sad about Russia. (Score:1)
There are so many discoveries they could have made for us.
Space, AI, the Basic Sciences.
Re: (Score:1)
like the Gen Z around the world, they do not want war.
Russia Russia Russia (Score:1)
While Russia may have used it, I would be extremely surprised if it was their tool originally.
We have seen repeated attacks on global infrastructure which have been blamed on hacking groups and Russia over the years, but the fingerprints consistently come back with US intelligence as the origin.