According to a report from cybersecurity firm Mandiant, there is a rare form of malware being spread that targets industrial facilities, and is being linked to a Russian telecom firm.

This new malware threat, called “CosmicEnergy”, was uploaded to VirusTotal – a Google service that scans URLs and files for malware. What makes the discovery of this threat unique is that it was found during a threat hunt, and not as a result of a devastating security attack. As a result of its discovery, researchers found that the malware is linked to a Russian IP address.

Whether it was uploaded to the malware discovery tool intentionally or not remains to be known, however it joins a rather dangerous class of malware tools designed to attack industrial facilities such as Stuxnet, Industroyer and Trisis. With the discovery of this harmful new software, critical infrastructure operators and organizations targeted specifically by similar tools now have added concern as they are at an increased susceptibility of being targeted by criminal and nation-backed hackers.

Researchers at Mandiant disclosed that it’s very rare to have discovered this type of Malware. It’s not clear to the researchers as of the writing of this post if the malware was intended to be a cyberattack, or if it may possibly have been deployed as an internal red-teaming exercise before the code was released in the wild.

Mandiant seems to think that there are indicators that the malware was developed by Rostelecom-Solar, the cyber division of a major Russian telecom firm. A string of code was found when analyzing the malware that stated that it was for “Solar Polygon”. This particular string matched with code for a Russian government project for an electric power distribution and emergency response exercise and cybersecurity training. “Polygon” is a commonly used term in Russia to mean cyber testing, or a proving ground of such.

CosmicEnergy also has similarities to Industroyer, which was a variant of the Russian malware used to turn off lights in Ukraine during the 2016 winter. It was also used in the early days of last year’s invasion of Ukraine.

CosmicEnergy, according to researchers, is surprisingly simple as it was written in Python – an easy to learn, developer-friendly language. The malware carries out attacks by sending a command to a remote terminal unit, thus allowing attackers to control something like a circuit breaker or a power line switch.

Daniel Zafra, a Mandiant analyst said, “By getting access to the RTU and being able to send the commands, they can just instruct the system to turn on and off. The trick is that they’re doing it in an unexpected way.”

With that said, there doesn’t appear to be intrusion capabilities with this malware, so intruders would still have to acquire IP addresses and credentials for servers and devices to hack the system.

Although it seems that the malware was developed by Rostelecom-Solar, Mandiant has said that it’s possible that it could have been created for other purposes than just a potential exercise. Regardless of whether it was used for a red-teaming exercise or if hackers put it together, it’s “not something we see every day,” according to Zafra.

Story via Cyberscoop