New ICS Malware Toolkit Aims to Cause Power Outages
Image courtesy of Christiaan Colen under Attribution-ShareAlike 2.0 Generic License, resized to 700 x 391 pixels.
Oh boy. The cybersecurity wars continue to ramp up in the utility industry thanks to a new ICS malware toolkit recently developed and launched by a group from Russia, specifically designed to cause power outages. The good news is that the toolkit has not caused any known power outages in the U.S. so far. The bad news is that more and more of these tools are popping up, which is dramatically increasing the risk that a largescale, hacking-induced outage will happen eventually.
Snapshot of the New ICS Malware Toolkit
Researchers have dubbed the toolkit CosmicEnergy, and they have determined that it was uploaded to a public malware scanning service in December 2021. It is designed to interact with “remote terminal units (RTUs) and other operational technology (OT) devices that communicate over the specialized IEC 60870-5-104 (IEC-104) protocol and are commonly used for electrical engineering and power automation.”
The toolkit is similar to previous iterations of OT malware, such as Industroyer (AKA CrashOverride) which was deployed to negatively impact power transmission and distribution infrastructure in the Ukraine in 2016. Although the researchers have reason to believe the toolkit may have been designed to facilitate cybersecurity exercises and drills, there’s no reason it could not be utilized for real world attacks as well. At a minimum, it could serve as a blueprint or inspiration for other bad actors to develop an even more potent ICS malware toolkit.
The researchers recommend that energy companies conduct active threat hunting to gauge the level of risk, which involves tactics such as managing logs, monitoring the execution of certain executables, monitoring systems with access to OT resources, and keeping tabs on MSSQL server activity.
This is scary stuff. It seems as though every new ICS malware toolkit and hacking mechanism that gets deployed is more advanced than the previous one, and I believe it’s only a matter of time before we see some real-world damage from this. That said, one thing that all utilities must do to help counteract this trend is to ramp up and increase their emphasis on cyber events in emergency preparedness activities.