Russian cybersecurity company Rostelecom-Solar has been linked to a new malware strain which targets industrial control systems (ICS).
Mandiant – the US-based, Google-cloud subsidiary announced the discovery of the new malware in a report released May 25th 2023.
Called CosmicEnergy, the malware strain was first identified in 2021 after a sample was uploaded to the Virus Total website from a Russian IP address and is capable of causing cyber-physical effects – i.e. shutting down Critical Infrastructure such as a power station.
The malware is designed to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia.
In their report, Mandiant say that they dentified a comment in the code that indicated the sample uploaded to Virus Total uses a module associated with a project named “Solar Polygon”.
Searching for this string identified a single match to a cyber range developed by Rostelecom-Solar.
In 2019, Rostelecom-Solar began training cyber security experts and conducting electric power disruption and emergency response exercises.
Although Mandiant has not identified sufficient evidence to determine the origin or purpose of CosmicEnegry, they believe that the malware was possibly developed by either Rostelecom-Solar or an associated party to recreate real attack scenarios against energy grid assets.
It is possible that the malware was used to support exercises such as the ones hosted by Rostelecom-Solar in 2021 in collaboration with the Russian Ministry of Energy or in 2022 for the St.Petersburg’s International Economic Forum.
Mandiant consider it also possible that a different actor – either with or without permission – reused code associated with the cyber range to develop this malware.
Full technical details of the malware and how it functions can be read in the Mandiant report.