Mandiant published intelligence on what is essentially the 8th known ICS-focused malware discovered. Tracked as COSMICENERGY, Mandiant assesses the malware’s capabilities and overall attack strategy appear reminiscent of the 2016 INDUSTROYER incident. Specifically, the malware is designed to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia.

COSMICENERGY is believed to have been developed for red team activity for conducting electric power disruption and emergency response exercises. However, given the lack of conclusive evidence, Mandiant reserves the possibility that a different actor may have reused code associated with the cyber range sample to develop this malware to facilitate real world attacks.

While not believed to be an active threat to U.S. critical infrastructure at this time, this activity does represent the latest example of specialized OT malware capable of causing cyber physical impacts and principally takes advantage of insecure by design features of OT environments. As such, “OT defenders and asset owners should take mitigating actions against COSMICENERGY to preempt in the wild deployment and to better understand common features and capabilities that are frequently deployed in OT malware.” Visit Mandiant for more.