Researchers discover new ICS malware toolkit designed to trigger electrical energy outages

[ad_1]

Over the previous few years state-sponsored attackers have been ramping up their capabilities of hitting important infrastructure like energy grids to trigger severe disruptions. A brand new addition to this arsenal is a malware toolkit that appears to have been developed for red-teaming workout routines by a Russian cybersecurity firm.

Dubbed COSMICENERGY by researchers from Mandiant, the malware can work together with distant terminal items (RTUs) and different operational know-how (OT) units that talk over the specialised IEC 60870-5-104 (IEC-104) protocol and are generally used for electrical engineering and energy automation.

“COSMICENERGY is the newest instance of specialised OT malware able to inflicting cyber bodily impacts, that are not often found or disclosed,” the Mandian researchers mentioned of their report. “Evaluation into the malware and its performance reveals that its capabilities are akin to these employed in earlier incidents and malware, resembling INDUSTROYER and INDUSTROYER.V2, which had been each malware variants deployed previously to influence electrical energy transmission and distribution through IEC-104.”

Pink group framework impressed by previous assaults

INDUSTROYER, also called Crashoverride, is a malware program that was utilized in 2016 towards the Ukrainian energy grid and left a fifth of Kyiv, the nation’s capital, with out energy for one hour. The malware reached RTUs on the OT community through MS-SQL servers that acted as information historians, then issued ON/OFF instructions through the IEC-104 to influence energy line switches and circuit breakers.

INDUSTROYER’s creation and use is attributed to Sandworm, an APT group that is believed to be a cyberwar unit inside the GRU, Russia’s navy intelligence service. In 2022, Sandworm tried one other assault towards Ukraine’s energy grid utilizing an up to date model of the malware dubbed INDUSTROYER.V2.

The brand new COSMICENERGY toolkit discovered by Mandiant was uploaded to a public malware scanning service in December 2021 by somebody in Russia. An evaluation of the code means that it was created for pink group workout routines hosted by a Russian cybersecurity firm referred to as Rostelecom-Photo voltaic that has ties to the Russian authorities.

“Though we’ve not recognized adequate proof to find out the origin or objective of COSMICENERGY, we consider that the malware was probably developed by both Rostelecom-Photo voltaic or an related social gathering to recreate actual assault situations towards vitality grid belongings,” the researchers mentioned. “It’s attainable that the malware was used to help workout routines resembling those hosted by Rostelecom-Photo voltaic in 2021 in collaboration with the Russian Ministry of Vitality or in 2022 for the St. Petersburg’s Worldwide Financial Discussion board (SPIEF).”

Rostelecom-Photo voltaic has acquired funding from the Russian authorities to coach cybersecurity consultants and conduct electrical energy disruption and emergency response workout routines. A module within the malware toolkit comprises a reference to Photo voltaic Polygon and searchers for this time period tie it to Rostelecom-Photo voltaic.

In response to Mandiant, regardless of its obvious ties to pink group workout routines, the likelihood exists that this malware toolkit has or may be repurposed for real-world assaults, together with by Russian nation-state actors which have used personal contractors earlier than to develop instruments.

Manually deployed two-component malware payload

COSMICENERGY is made up of two parts — one written in Python and one in C++. The Python-based part, which Mandiant has dubbed PIEHOP, is designed to hook up with MS-SQL servers and add information or problem instructions. As soon as linked, it deploys the second part dubbed LIGHTWORK which is designed to problem ON and OFF instructions to linked RTUs through IEC-104 over TCP.

“It crafts configurable IEC-104 Software Service Information Unit (ASDU) messages, to vary the state of RTU Data Object Addresses (IOAs) to ON or OFF,” the researchers mentioned. “LIGHTWORK makes use of positional command line arguments for goal gadget, port, and IEC-104 command.”

The IOAs correlate with inputs and outputs on RTUs, which relying on configuration and deployment might map to linked circuit breakers or energy line switches. Nevertheless, the IOAs mappings can differ between totally different RTU producers, particular person units and even environments, based on Mandiant, which suggests the attackers have to have pre-existing reconnaissance details about the deployment they’re concentrating on. The analyzed LIGHTWORK pattern had eight hard-coded IOAs, but it surely’s onerous to find out what was the attackers’ intention when issuing instructions to them with out data of the precise focused belongings.

Moreover, the PIEHOP part and the malware itself have no community discovery capabilities inbuilt, which signifies that attackers have to have already got details about the focused MSSQL servers and RTUs, resembling credentials and IP addresses, to deploy the parts efficiently. This makes it a post-intrusion toolkit.

Whereas COSMICENERGY does not share any code with earlier OT malware instruments, it does borrow methods from a number of of them, apart from INDUSTROYER: The usage of Python for OT malware growth has additionally been noticed with IRONGATE and TRITON; using open-source libraries that implement proprietary OT protocols and decrease the bar for growing such threats; and the abuse of protocols which can be insecure by design resembling IEC-104 and lack authentication or encryption mechanisms.

Methods to mitigate and detect COSMICENERGY

Whereas there is not any proof that COSMICENERGY has been utilized in assaults within the wild, the likelihood can’t be discounted and on the very least it may possibly function inspiration for different OT malware builders, identical to INDUSTROYER served as inspiration for its creators.

The Mandiant report comprises indicators of compromise and file hashes, however the firm additionally recommends that organizations conduct lively risk searching:

  • Set up assortment and aggregation of host-based logs for crown jewels methods resembling human-machine interfaces (HMI), engineering workstations (EWS), and OPC shopper servers inside their environments and evaluate logs for the proof of Python script or unauthorized code execution on these methods.
  • Determine and examine the creation, switch, and/or execution of unauthorized Python-packaged executables (e.g., PyInstaller or Py2Exe) on OT methods or methods with entry to OT assets.
  • Monitor methods with entry to OT assets for the creation of respectable non permanent folders, information, artifacts, and exterior libraries required as proof of the execution of packaged Python scripts, eg. the creation of a short lived “_MEIPASS” PyInstaller folder.
  • Monitor MSSQL Servers with entry to OT methods and networks for proof of: reconnaissance and enumeration exercise of MSSQL servers and credentials, unauthorized community connections to MSSQL servers (TCP/1433) and irregular or unauthorized authentication, enablement and utilization of SQL prolonged saved procedures for Home windows shell command execution and the switch, creation, staging, and decoding of base64 encoded executables.

Copyright © 2023 IDG Communications, Inc.

[ad_2]

Leave a Comment

Your email address will not be published. Required fields are marked *