New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grid

Mandiant on Thursday detailed a new piece of malware that appears to be linked to Russia and is designed to target industrial control systems (ICS), specifically in an effort to cause electric grid disruption.

Named CosmicEnergy, the latest malware family targeting operational technology (OT) is designed to interact with IEC 60870-5-104 (IEC-104) devices, sending remote commands to tamper with the actuation of power line switches and circuit breakers in an effort to cause power disruption. Mandiant believes it “poses a plausible threat to affected electric grid assets”.

IEC 60870-5-104 is a protocol for telecommunication functions for electric power systems. In the case of CosmicEnergy, it can interact with remote terminal units (RTUs), specifically ones that are commonly used in electric transmission and distribution in regions such as Europe, the Middle East and other parts of Asia.

The malware has two main components: LightWork, which implements the IEC-104 protocol to modify ...