Researchers have uncovered malware designed to disrupt electric power transmission and may have been used by the Russian government in training exercises for creating or responding to cyberattacks on electric grids.
Known as CosmicEnergy, the malware has capabilities that are comparable to those found in malware known as Industroyer and Industroyer2, both of which have been widely attributed by researchers to Sandworm, the name of one of the Kremlin’s most skilled and cutthroat hacking groups. Sandworm deployed Industroyer in December 2016 to trigger a power outage in Kyiv, Ukraine, that left an estimated large swath of the city without power for an hour. The attack occurred almost a year after an earlier one disrupted power for 225,000 Ukrainians for six hours. Industroyer2 came to light last year and is believed to have been used in a third attack on Ukraine’s power grids, but it was detected and stopped before it could succeed.
The attacks illustrated the vulnerability of electric power infrastructure and Russia’s growing skill at exploiting it. The attack in 2015 used repurposed malware known as BlackEnergy. While the resulting BlackEnergy3 allowed Sandworm to successfully break into the corporate networks of Ukrainian power companies and further encroach on their supervisory control and data acquisition systems, the malware had no means to interface with operational technology gear directly.