On May 25, 2023, Mandiant published a cybersecurity alert on CosmicEnergy, a malware targeting power system controls. It makes it possible to take over ICS, particularly RTUs (remote terminal units), “currently used in power transport and distribution across Europe, the Middle East and Asia,” according to Mandiant.
The cybersecurity firm identified CosmicEnergy when a Russian citizen sent it to VirusTotal (which, like Mandiant, belongs to Google). Mandiant considers it “a plausible threat for power grid assets”. The malware is said to have features and capabilities on par with Industroyer and Industroyer V2, two Russian intelligence malware programs designed for power systems.
According to the researchers, a Russian cybersecurity organization called the Red Team (in charge of designing attack software to test infrastructure) may be behind CosmicEnergy. They are said to have developed it as part of “blackout simulation exercises organized by Rostelecom-Solar, a Russian cybersecurity firm.”
“The discovery of CosmicEnergy shows that barriers to entry for developing offensive OT capabilities are lowered as players leverage knowledge gained from previous attacks to develop new malware,” summarizes Mandiant.