Cyber-security researchers have spotted a new Russia-linked malware that is designed to cause electric power disruption by attacking critical infrastructure systems and electric grids.

Mandiant identified the malware, dubbed as CosmicEnergy, that can cause electric power disruption by interacting with devices such as remote terminal units (RTUs) that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia.

“Analysis into the malware and its functionality reveals that its capabilities are comparable to those employed in previous incidents and malware, which were deployed in the past to impact electricity transmission and distribution,” the researchers noted in a blog post.

The team believes CosmicEnergy poses a plausible threat to affected electric grid assets.

The new malware was possibly developed by either Rostelecom-Solar or an associated party to recreate real attack scenarios against energy grid assets.

Buy Me a Coffee

“It is possible that the malware was used to support exercises such as the ones hosted by Rostelecom-Solar in 2021 in collaboration with the Russian Ministry of Energy or in 2022 for the St. Petersburga’s International Economic Forum (SPIEF),” the report informed.

While its capabilities are not significantly different from previous malware families, its discovery highlights several notable developments in the operational technology (OT) threat landscape.

“The discovery of new OT malware presents an immediate threat to affected organizations, since these discoveries are rare and because the malware principally takes advantage of insecure by-design features of OT environments that are unlikely to be remedied any time soon,” said the researchers.

READ
Unprotected Database Exposes Millions of Patient Records from Canadian Health Tech Firm Care1

The organizations in this field should take mitigating actions against CosmicEnergy to preempt in-the-wild deployment and to better understand common features and capabilities that are frequently deployed in OT malware, they suggested.