Researchers find new ICS malware toolkit designed to cause power outages

Enterprise 2023-06-04 23:12:39 views: null

Over the past few years, state-backed attackers have been improving their ability to attack critical infrastructure like power grids to wreak havoc.

A new addition to this arsenal is a malware toolkit that appears to have been developed by a Russian cybersecurity firm for red teaming exercises.

Dubbed COSMICENERGY by Mandiant researchers, the malware can interact with remote terminal units (RTUs) and other operational technology (OT) devices, which communicate via a specialized IEC 60870-5-104 (IEC-104) protocol , usually used in electrical engineering and power automation.

"COSMICENERGY is the latest example of specialized OT malware capable of inflicting cyber-physical effects that are rarely detected or disclosed," the researchers said in their report.

Analysis of the malware and its functionality indicates that its capabilities are comparable to those used in previous incidents and malware such as INDUSTROYER and INDUSTROYER.V2, both malware variants deployed in the past, Affecting electricity transmission and distribution through IEC-104".

A Red Team Framework Inspired by Past Attacks

INDUSTROYER, also known as Crashoverride, is a malware program that was used to attack Ukraine's power grid in 2016, causing a one-fifth of the country's capital, Kiev, to lose power for an hour.

The malware reaches the RTUs on the OT network via an MS-SQL server acting as a data historian, and then issues on/off commands via IEC-104 to affect powerline switches and circuit breakers.

The creation and use of INDUSTROYER is credited to Sandworm, an APT group believed to be a cyber warfare unit within the GRU, Russia's military intelligence service.

In 2022, Sandworm attempted to attack Ukraine's power grid again using an updated malware version called INDUSTROYER.V2.

In December 2021, someone in Russia uploaded a new COSMICENERGY kit discovered by Mandiant to a public malware scanning service.

Analysis of the code indicated that it was created for a red team exercise hosted by a Russian cybersecurity firm called Rostelecom-Solar, which has ties to the Russian government.

While we have not yet found sufficient evidence to determine the origin or purpose of COSMICENERGY, we believe the malware may have been developed by Rostelecom-Solar or an affiliated party to recreate a real attack scenario against grid assets.

The malware may be used to support exercises such as those Rostelecom-Solar is hosting in 2021 in cooperation with the Russian Ministry of Energy or for the St. Petersburg International Economic Forum (SPIEF) in 2022.

Rostelecom-Solar has received funding from the Russian government to train cybersecurity experts and conduct power outage and emergency response drills.

One module in the malware kit contained references to Solar Polygon, which searchers for the term linked to Rostelecom-Solar.

According to Mandiant, despite its apparent connection to red teaming exercises, it is possible that this malware toolkit has been or could be repurposed for real-world attacks, including Russian nation-state actors previously using tools developed by private contractors .

Manually deployed two-part malware payload

COSMICENERGY consists of two parts: one written in Python and one in C++. The Python-based component, called PIEHOP by Mandiant, is designed to connect to MS-SQL servers and upload files or issue commands.

Once connected, it deploys a second component called LIGHTWORK, which is designed to issue on and off commands to the connected RTU via IEC-104 over TCP.

It crafts a configurable IEC-104 Application Service Data Unit (ASDU) message to change the state of the RTU Information Object Address (IOA) to on or off. LIGHTWORK utilizes the target device, port, and positional command line parameters for IEC-104 commands.

IOAs are associated with inputs and outputs on the RTU and depending on configuration and deployment can be mapped to connected circuit breakers or power line switches. IOA mappings can differ between different RTU manufacturers, individual devices, or even environments, which means that attackers need to have pre-existing reconnaissance information about the deployment they are targeting.

The LIGHTWORK sample analyzed had eight hardcoded IOAs, but without knowing the exact target assets, it is difficult to determine the attacker's intent when issuing commands to them.

Additionally, the PIEHOP component and the malware themselves do not have any built-in network discovery capabilities, meaning that the attackers would need to already have information about the targeted MSSQL server and RTU, such as credentials and IP addresses, in order to successfully deploy the components. That makes it a post-invasion toolkit.

While COSMICENERGY does not share any code with previous OT malware tools, it does borrow techniques from several of them, with the exception of INDUSTROYER: IRONGATE and TRITON have also observed the use of Python for OT malware development; Open source libraries that lower the barrier to entry for developing such threats; abuse of protocols such as IEC-104 that are insecure by design and lack authentication or encryption mechanisms.

How to Mitigate and Detect CONSMICENERGY

While there is no evidence that COSMICENERGY has been used in attacks in the wild, the possibility should not be dismissed, at least it could serve as an inspiration to other OT malware developers, just as INDUSTROYER did to its creator.

The report includes indicators of compromise and file hashes, and the company also advises organizations to conduct proactive threat hunting:

  • Establish host-based collection and aggregation of logs for crown jewel systems such as Human Machine Interface (HMI), Engineering Workstation (EWS), and OPC client servers in environments, and view logs for Python scripts or unauthorized Evidence of code execution by these systems.

  • Identify and investigate the creation, transmission, and/or execution of unauthorized Python packaged executables (such as PyInstaller or Py2Exe) on OT systems or systems that have access to OT resources.

  • Monitor systems with access to OT resources to create legitimate temporary folders, files, artifacts, and external libraries as evidence of execution of packaged Python scripts, eg. Create a temporary "_MEIPASS" PyInstaller folder.

  • Monitor MSSQL servers with access to OT systems and networks for evidence of reconnaissance and enumeration of MSSQL servers and credentials, unauthorized network connections (TCP/1433) to MSSQL servers, and irregular or unauthorized authentication, SQL Enablement of extended stored procedures and execution using Windows shell commands and transfer, creation, staging, and decoding of base64-encoded executables.

Guess you like

Origin blog.csdn.net/qq_29607687/article/details/130919448
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com