COSMICENERGY - power grid malware that leaked from Russian training exercises
COSMICENERGY - analysis of ICS malware discovered by Mandiant in 2023: PIEHOP and LIGHTWORK components, IEC 60870-5-104 protocol, ties to Rostelecom-Solar, and lessons for the energy sector.
December 2021. Someone in Russia uploads a file to VirusTotal - a file that goes unnoticed for a year and a half. One of thousands of samples submitted every day, nothing special. It is not until spring 2023 that analysts at Mandiant (Google Cloud) come across the artifact and realize what they are looking at: a tool capable of sending control commands to devices in electric power networks. A tool that can turn off the lights.
They named it COSMICENERGY. And although it has never been used in a real attack, its very existence says something unsettling about the world we live in - the line between a training tool and a cyber weapon is paper-thin.
What COSMICENERGY is
COSMICENERGY is malware designed to interact with ICS (Industrial Control Systems) devices communicating via the IEC 60870-5-104 protocol (IEC 104 for short). This protocol is one of the foundations of European electric power networks - it transmits telecommands and telemetry data between dispatch centers and electrical substations. Through it, operators issue commands to open and close power circuit breakers, while RTUs (Remote Terminal Units) report the status of field devices.
COSMICENERGY can send ON and OFF commands to these devices - changing the state of circuit breakers without the operator’s knowledge or consent. In practice, this means the ability to cause power outages.
What distinguishes this malware from earlier ICS threats? It is not the product of a years-long offensive program run by a state intelligence agency. It was most likely created as a red team training tool - and that is precisely what makes it such an important warning signal.
Origin - Rostelecom-Solar and Russian exercises
Mandiant published its analysis on May 25, 2023. Researchers discovered evidence pointing to a connection between COSMICENERGY and the Russian cybersecurity firm Rostelecom-Solar (formerly Solar Security) - the cybersecurity division of telecommunications giant Rostelecom.
Key facts:
- The sample was uploaded to VirusTotal in December 2021 from a Russian IP address
- A comment in the PIEHOP code (the Python component) referenced a project codenamed “Solar Polygon” - the same term Rostelecom-Solar uses for its test environments for cyberattack simulation
- Publicly available information confirms that Rostelecom-Solar received funding from the Russian government for cybersecurity training, including simulations of power supply disruptions conducted in October 2021
Mandiant noted that it could not definitively confirm this attribution. Two scenarios are possible: COSMICENERGY was created as a training tool for incident response exercises in the energy sector, or it was developed with real offensive operations in mind, with the “exercises” serving merely as a cover.
Regardless of the creators’ intent, the code ended up in a public malware repository - and is available to anyone who knows where to look.
Architecture - PIEHOP and LIGHTWORK
COSMICENERGY consists of two components that Mandiant designated as PIEHOP and LIGHTWORK. Together they form an attack chain: from a relay server to field devices.
PIEHOP - control component (Python)
PIEHOP is a tool written in Python and packaged using PyInstaller into a Windows executable. Its purpose is to:
- Connect to a Microsoft SQL server - PIEHOP connects to an MSSQL server located in the OT network, which serves as a relay point between the corporate network and ICS devices
- Upload the payload - after establishing a connection, PIEHOP uploads the LIGHTWORK component to the server
- Issue commands - PIEHOP instructs LIGHTWORK to send IEC 104 commands to specified RTUs
- Cover tracks - after completing the operation, PIEHOP deletes the LIGHTWORK file from the server
Worth noting: Mandiant analysts found logic errors in the PIEHOP code that prevent correct execution of IEC 104 commands. This suggests the malware was in a development or testing phase - not yet fully operational.
LIGHTWORK - execution component (C++)
LIGHTWORK is a tool written in C++ that implements the IEC 60870-5-104 protocol at the TCP level. It operates in two steps:
- Station interrogation - sending a
C_IC_NA_1(Station Interrogation Command) to the target station to read the current state of devices - State change - sending
C_SC_NA_1(Single Command) commands to hardcoded IOA (Information Object Address) addresses, switching breakers to the ON or OFF position
LIGHTWORK operates directly at the application layer of the IEC 104 protocol, constructing valid ASDU (Application Service Data Unit) frames. From the RTU’s perspective, these commands are indistinguishable from legitimate operator commands - the IEC 104 protocol does not provide sender authentication.
Attack flow
Attacker -> PIEHOP -> MSSQL Server (OT network) -> LIGHTWORK -> RTU (IEC 104) -> Power circuit breakersThis chain assumes the attacker already has network access and MSSQL server credentials. COSMICENERGY has no reconnaissance capabilities - it does not scan networks, discover devices, or escalate privileges. It is a post-intrusion tool designed for a single task: changing the state of circuit breakers.
Timeline
| Date | Event |
|---|---|
| October 2021 | Rostelecom-Solar conducts exercises simulating disruptions to electric power networks |
| December 2021 | COSMICENERGY sample is uploaded to VirusTotal from a Russian IP address |
| May 25, 2023 | Mandiant (Google Cloud) publishes analysis of COSMICENERGY |
| May 2023 | Dragos publishes threat assessment - no immediate risk, but a warning signal |
| May 2023 | CISA and partners issue alerts regarding new ICS malware |
MITRE ATT&CK - technique mapping
COSMICENERGY does not yet have a dedicated entry in the MITRE ATT&CK database (unlike Industroyer - S0604). Based on Mandiant’s analysis, however, its behaviors can be mapped to the following ICS techniques:
| Tactic | Technique | ID | Application in COSMICENERGY |
|---|---|---|---|
| Execution | Command-Line Interface | T0807 | Launching LIGHTWORK with parameters (target IP address, port, ON/OFF command) |
| Lateral Movement | Lateral Tool Transfer | T0867 | Transferring LIGHTWORK to the MSSQL server via PIEHOP |
| Impair Process Control | Unauthorized Command Message | T0855 | Sending IEC 104 commands (C_SC_NA_1) to RTUs without operator authorization |
| Impair Process Control | Manipulation of Control | T0831 | Changing the state of power circuit breakers (ON/OFF) in electrical substations |
| Collection | Automated Collection | T0802 | Station interrogation (C_IC_NA_1) to read device state before the attack |
| Evasion | Indicator Removal on Host | T0872 | Deleting the LIGHTWORK file after completing the operation |
| Impact | Loss of Availability | T0826 | Cutting power by opening circuit breakers |
More about the MITRE ATT&CK framework and its application in OT threat analysis - in our MITRE ATT&CK guide.
COSMICENERGY among the ICS malware family
COSMICENERGY joins a growing family of malware designed to attack industrial control systems. Each new member lowers the barrier to entry:
| Malware | Year | Protocol | Complexity | Attribution |
|---|---|---|---|---|
| Stuxnet | 2010 | Profinet/S7comm | Very high | USA/Israel |
| Industroyer | 2016 | IEC 104, IEC 61850, OPC DA, IEC 101 | High | Sandworm (GRU) |
| TRITON | 2017 | TriStation (Schneider) | Very high | TEMP.Veles (CNIIHM) |
| COSMICENERGY | 2021/2023 | IEC 104 | Moderate | Rostelecom-Solar (?) |
The key observation: COSMICENERGY is considerably simpler than its predecessors. Industroyer implemented four industrial protocols and included wiper and DoS modules. TRITON required reverse engineering of a proprietary protocol and a zero-day firmware exploit for the controller. COSMICENERGY is a straightforward tool by comparison - Python, C++, one protocol, no reconnaissance.
And it is precisely this simplicity that is concerning. It shows that creating malware capable of disrupting power grid operations no longer requires the resources of a state intelligence agency.
Lessons for the energy sector
1. Training tools become weapons
COSMICENERGY was most likely created as an exercise tool - but it ended up in a public malware repository. The history of cybersecurity is full of examples of red team tools that were adopted by real attackers (Cobalt Strike, Metasploit, Mimikatz). OT tools are following the same path.
TIP
Energy organizations should assume that tools of the COSMICENERGY class are available to potential attackers. Incident response exercise scenarios should include attacks on the IEC 104 protocol - not as a theoretical threat, but as a documented capability.
2. MSSQL servers in the OT network are a critical attack vector
COSMICENERGY uses a Microsoft SQL server as a relay point between the attacker and ICS devices. In many industrial installations, database servers (historian, MSSQL) sit at the boundary between IT and OT networks - making them an ideal target for lateral movement.
TIP
Verify that database servers in the OT zone have minimal privileges, network segmentation aligned with the zones and conduits model (IEC 62443), and monitoring for unusual connections and SQL queries.
3. ICS protocols still lack authentication
COSMICENERGY once again confirms a fundamental problem with industrial protocols: IEC 104 does not verify who sends a command. Any host with network access to the RTU can issue control commands. This is not a vulnerability - it is a design feature of a protocol built in the era of physical isolation.
TIP
Implement monitoring of IEC 104 traffic for anomalies: control commands from unknown IP addresses, unusual command sequences, commands issued during hours when they should not be. Consider deploying IDS/IPS solutions dedicated to industrial protocols.
4. Lowering the barrier to entry is a trend
From Stuxnet (requiring the resources of two nation-states) through Industroyer (intelligence agency resources) to COSMICENERGY (advanced red team level) - each successive tool is simpler to build. Python, public libraries, one protocol. The next one could be built in a garage.
TIP
Do not assume that attacks on OT infrastructure require nation-state resources. Build defenses based on capabilities, not intent. Regularly test the resilience of ICS systems against industrial protocol manipulation scenarios.
Summary
COSMICENERGY did not cause a blackout. It did not destroy any transformer. It probably never left a laboratory environment. And yet its discovery by Mandiant in May 2023 is one of the most significant events in OT security history - because it shows the direction in which threats are evolving.
When Sandworm created Industroyer, it needed months of reconnaissance, four protocol modules, and the backing of Russian military intelligence. COSMICENERGY achieves some of the same objectives with a Python script and a few hundred lines of C++ code. The barrier to entry is dropping.
For organizations managing energy infrastructure, the conclusion is clear: it is not enough to defend against Sandworm. You need to defend against anyone who can download a file from VirusTotal and read the IEC 104 documentation.
Sources
- Mandiant/Google Cloud - COSMICENERGY: New OT Malware Possibly Related To Russian Emergency Response Exercises
- Dragos - COSMICENERGY Malware Is Not an Immediate Threat to Industrial Control Systems
- The Hacker News - New COSMICENERGY Malware Exploits ICS Protocol to Sabotage Power Grids
- BleepingComputer - New Russian-linked CosmicEnergy malware targets industrial systems
- CSO Online - Researchers find new ICS malware toolkit designed to cause electric power outages
- SecurityWeek - CosmicEnergy ICS Malware Poses No Immediate Threat, but Should Not Be Ignored
- Industrial Cyber - CosmicEnergy OT malware linked to Russian emergency response exercises
Need help in this area?
Our experts will help you assess the risk and plan next steps.