This dangerous Russian-linked malware could shut down power grids

The key difference between CosmicEnergy and Sandworm is that the former wasn’t discovered after a security incident, but rather through threat hunting. Someone from Russia uploaded the malware to VirusTotal a year and a half ago, which is where Mandiant’s researchers picked it up.

Developed for training

Apparently, the malware was developed by Rostelecom-Solar, the cybersecurity department of Rostelecom - Russia’s national telecom operator.

The initial conclusion is that the malware was designed for training purposes, likely to educate the IT department on how to behave in case an actual attack on the grid happens. The researchers said one such training was hosted in collaboration with the Russian Ministry of Energy back in 2021. 

“A contractor may have developed it as a red-teaming tool for simulated power disruption exercises hosted by Rostelecom-Solar,” the researchers state “However, given the lack of conclusive evidence, we consider it also possible that a different actor — either with or without permission — reused code associated with the cyber range to develop this malware.”

Still, given CosmicEnergy’s functionalities, the researchers can’t exclude the possibility that the malware could be used in an actual attack.

In any case, the malware wasn’t seen in the wild, the researchers told TechCrunch. They also told the publication that the malware “lacks discovery capabilities”, meaning threat actors would first need to recon the compromised network for things like IP addresses and credentials, before being able to mount an attack.

“The discovery of new OT [operational technology] malware presents an immediate threat to affected organizations since these discoveries are rare and because the malware principally takes advantage of insecure by-design features of OT environments that are unlikely to be remedied any time soon,” the researchers concluded.

• Check out the best endpoint protection services around

Via: TechCrunch