{ "id": "016d8473-7e65-44f2-ba5f-bc1030ae7b99", "created_at": "2026-04-06T00:14:23.443286Z", "updated_at": "2026-04-10T03:34:42.453787Z", "deleted_at": null, "sha1_hash": "8cc013d73080b70a92fcdfff41c7728441b60ef9", "title": "COSMICENERGY: New OT Malware Possibly Related To Russian Emergency Response Exercises | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1494729, "plain_text": "COSMICENERGY: New OT Malware Possibly Related To Russian\r\nEmergency Response Exercises | Mandiant\r\nBy Mandiant\r\nPublished: 2023-05-25 · Archived: 2026-04-05 20:32:08 UTC\r\nWritten by: Ken Proska, Daniel Kapellmann Zafra, Keith Lunden, Corey Hildebrandt, Rushikesh Nandedkar, Nathan\r\nBrubaker\r\nMandiant identified novel operational technology (OT) / industrial control system (ICS)-oriented malware, which we track\r\nas COSMICENERGY, uploaded to a public malware scanning utility in December 2021 by a submitter in Russia. The\r\nmalware is designed to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as\r\nremote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe,\r\nthe Middle East, and Asia.\r\nCOSMICENERGY is the latest example of specialized OT malware capable of causing cyber physical impacts, which are\r\nrarely discovered or disclosed. What makes COSMICENERGY unique is that based on our analysis, a contractor may have\r\ndeveloped it as a red teaming tool for simulated power disruption exercises hosted by Rostelecom-Solar, a Russian cyber\r\nsecurity company. Analysis into the malware and its functionality reveals that its capabilities are comparable to those\r\nemployed in previous incidents and malware, such as INDUSTROYER and INDUSTROYER.V2, which were both malware\r\nvariants deployed in the past to impact electricity transmission and distribution via IEC-104.\r\nThe discovery of COSMICENERGY illustrates that the barriers to entry for developing offensive OT capabilities are\r\nlowering as actors leverage knowledge from prior attacks to develop new malware. Given that threat actors use red team\r\ntools and public exploitation frameworks for targeted threat activity in the wild, we believe COSMICENERGY poses a\r\nplausible threat to affected electric grid assets. OT asset owners leveraging IEC-104 compliant devices should take action to\r\npreempt potential in the wild deployment of COSMICENERGY.\r\nCOSMICENERGY Overview\r\nCOSMICENERGY’s capabilities and overall attack strategy appear reminiscent of the 2016 INDUSTROYER incident,\r\nwhich issued IEC-104 ON/OFF commands to interact with RTUs and, according to one analysis, may have made use of an\r\nMSSQL server as a conduit system to access OT. Leveraging this access, an attacker can send remote commands to affect\r\nthe actuation of power line switches and circuit breakers to cause power disruption. COSMICENERGY accomplishes this\r\nvia its two derivative components, which we track as PIEHOP and LIGHTWORK (see appendices for technical analyses).\r\nPIEHOP is a disruption tool written in Python and packaged with PyInstaller that is capable of connecting to a user-supplied remote MSSQL server for uploading files and issuing remote commands to a RTU. PIEHOP utilizes\r\nLIGHTWORK to issue the IEC-104 commands \"ON\" or \"OFF\" to the remote system and then immediately deletes\r\nthe executable after issuing the command. The sample of PIEHOP we obtained contains programming logic errors\r\nthat prevent it from successfully performing its IEC-104 control capabilities, but we believe these errors can be easily\r\ncorrected.\r\nLIGHTWORK is a disruption tool written in C++ that implements the IEC-104 protocol to modify the state of RTUs\r\nover TCP. It crafts configurable IEC-104 Application Service Data Unit (ASDU) messages, to change the state of\r\nRTU Information Object Addresses (IOAs) to ON or OFF. LIGHTWORK utilizes positional command line\r\narguments for target device, port, and IEC-104 command.\r\nhttps://www.mandiant.com/resources/blog/cosmicenergy-ot-malware-russian-response\r\nPage 1 of 10\n\nFigure 1: COSMICENERGY execution chain\r\nCOSMICENERGY lacks discovery capabilities, which implies that to successfully execute an attack the malware operator\r\nwould need to perform some internal reconnaissance to obtain environment information, such as MSSQL server IP\r\naddresses, MSSQL credentials, and target IEC-104 device IP addresses. The sample of LIGHTWORK we obtained includes\r\neight hardcoded IEC-104 information object addresses (IOA), which typically correlate with input or output data elements\r\non a device and may correspond to power line switches or circuit breakers in an RTU or relay configuration. However, IOA\r\nmappings often differ between manufacturers, devices, and even environments. For this reason, the particular actions\r\nintended by the actor are unclear without further knowledge about the targeted assets.\r\nCOSMICENERGY Possibly Associated With Russian Government-Funded Power\r\nDisruption and Emergency Response Exercises\r\nDuring our analysis of COSMICENERGY, we identified a comment in the code that indicated the sample uses a module\r\nassociated with a project named “Solar Polygon” (Figure 2). We searched for the unique string and identified a single match\r\nto a cyber range (aka polygon) developed by Rostelecom-Solar, a Russian cyber security company that received a\r\ngovernment subsidy in 2019 to begin training cyber security experts and conducting electric power disruption and\r\nemergency response exercises.\r\nFigure 2: PIEHOP comment referring to “Solar Polygon”\r\nAlthough we have not identified sufficient evidence to determine the origin or purpose of COSMICENERGY, we believe\r\nthat the malware was possibly developed by either Rostelecom-Solar or an associated party to recreate real attack scenarios\r\nhttps://www.mandiant.com/resources/blog/cosmicenergy-ot-malware-russian-response\r\nPage 2 of 10\n\nagainst energy grid assets. It is possible that the malware was used to support exercises such as the ones hosted by\r\nRostelecom-Solar in 2021 in collaboration with the Russian Ministry of Energy or in 2022 for the St.Petersburg’s\r\nInternational Economic Forum (SPIEF).\r\nHowever, given the lack of conclusive evidence, we consider it also possible that a different actor - either with or without\r\npermission - reused code associated with the cyber range to develop this malware. Threat actors regularly adapt and make\r\nuse of red team tools - such as commercial and publicly available exploitation frameworks - to facilitate real world attacks,\r\nlike TEMP.Veles’ use of METERPRETER during the TRITON attack. There are also many examples of nation-state actors\r\nleveraging contractors to develop offensive capabilities, as shown most recently in contracts between Russia’s Ministry of\r\nDefense and NTC Vulkan. These observations leave open the possibility that COSMICENERGY was developed with\r\nmalicious intent, and at a minimum that it can be used to support targeted threat activity in the wild.\r\nCOSMICENERGY Shares Similarities with Existing OT Malware\r\nAlthough COSMICENERGY does not directly overlap with any previously observed malware families, its capabilities are\r\ncomparable to those employed in previous incidents and malware. The most significant similarities we identified are with\r\nINDUSTROYER and INDUSTROYER.V2, which were both malware variants deployed in the past to impact electricity\r\ntransmission and distribution. COSMICENERGY also has notable technical similarities with other OT malware families that\r\nhave been developed or packaged using Python or that have utilized open-source libraries for OT protocol implementation,\r\nincluding IRONGATE, TRITON, and INCONTROLLER. Further analyses of these similarities are available via Mandiant\r\nAdvantage.\r\nWith regards to these similarities, we highlight the following trends which could manifest in future OT malware:\r\nAbuse of insecure by design protocols: While OT-oriented malware families can be purpose built for a particular\r\ntarget environment, malware that takes advantage of insecure by design OT protocols, such as LIGHTWORK’s abuse\r\nof the IEC-104 protocol, can be modified and employed multiple times to target multiple victims.\r\nUse of open source libraries for protocol implementation: The availability of open source projects that implement OT\r\nprotocols can lower the barrier of entry for actors attempting to interact with OT devices. However, proprietary OT\r\nprotocols will likely continue to require custom protocol implementations.\r\nUse of Python for malware development and/or packaging: We expect to continue to observe attackers compiling or\r\npackaging their OT malware via methods such as PyInstaller (IRONGATE) or Py2Exe (TRITON) given the\r\nproliferation of OT malware developed or packaged using Python in recent years.\r\nOutlook\r\nWhile COSMICENERGY’s capabilities are not significantly different from previous OT malware families’, its discovery\r\nhighlights several notable developments in the OT threat landscape. First, the discovery of new OT malware presents an\r\nimmediate threat to affected organizations, since these discoveries are rare and because the malware principally takes\r\nadvantage of insecure by design features of OT environments that are unlikely to be remedied any time soon. Second, as\r\nCOSMICENERGY was potentially developed as part of a red team, this discovery suggests that the barriers to entry are\r\nlowering for offensive OT threat activity since we normally observe these types of capabilities limited to well resourced or\r\nstate sponsored actors. Lastly, we emphasize that although the samples of COSMICENERGY we obtained are potentially\r\nred team related, threat actors regularly leverage contractors and red team tools in real world threat activity, including during\r\nOT attacks.\r\nFor these reasons, OT defenders and asset owners should take mitigating actions against COSMICENERGY to preempt in\r\nthe wild deployment and to better understand common features and capabilities that are frequently deployed in OT malware.\r\nhttps://www.mandiant.com/resources/blog/cosmicenergy-ot-malware-russian-response\r\nPage 3 of 10\n\nSuch knowledge can be useful when performing threat hunting exercises and deploying detections to identify malicious\r\nactivity within OT environments.\r\nIf you need support responding to related activity, please contact Mandiant Consulting. Further analysis of\r\nCOSMICENERGY is available as part of Mandiant Advantage Threat Intelligence.\r\nDiscovery Methods\r\nWe provide at-risk organizations with the following discovery methods to conduct threat hunts for tactics, techniques, and\r\nprocedures (TTPs) implemented derived from the toolset:\r\nEstablish collection and aggregation of host-based logs for crown jewels systems such as human-machine interfaces\r\n(HMI), engineering workstations (EWS), and OPC client servers within their environments and review logs for the\r\nevidence of Python script or unauthorized code execution on these systems.\r\nIdentify and investigate the creation, transfer, and/or execution of unauthorized Python-packaged executables (e.g.,\r\nPyInstaller or Py2Exe) on OT systems or systems with access to OT resources.\r\nMonitor systems with access to OT resources for the creation of legitimate temporary folders, files, artifacts, and\r\nexternal libraries required as evidence of the execution of packaged Python scripts.\r\nCreation of temporary “_MEIPASS” PyInstaller folder.\r\nMonitor MSSQL Servers with access to OT systems and networks for evidence of:\r\nReconnaissance and enumeration activity of MSSQL servers and\r\ncredentials.                                                                                                     \r\nUnauthorized network connections to MSSQL servers (TCP/1433) and irregular or unauthorized\r\nauthentication.\r\nEnablement and usage of SQL extended stored procedures for Windows shell command execution:\r\nFigure 3: PIEHOP SQL command\r\nCertutil command usage:\r\n“certutil -hashfile”\r\n“certutil -decode”\r\nTransfer, creation, staging, and decoding of base64 encoded executables.\r\nAppendix A: COSMICENERGY Overview\r\nFilename Description Hash\r\nr3_iec104_control.exe PIEHOP\r\nPyInstaller\r\nexecutable\r\nMD5: cd8f394652db3d0376ba24a990403d20\r\nSHA1: bc07686b422aa0dd01c87ccf557863ee62f6a435\r\nhttps://www.mandiant.com/resources/blog/cosmicenergy-ot-malware-russian-response\r\nPage 4 of 10\n\nSHA256:\r\n358f0f8c23acea82c5f75d6a2de37b6bea7785ed0e32c41109c217c48bf16010\r\nr3_iec104_control\r\nPIEHOP\r\nPython\r\ncompiled\r\nbytecode entry\r\npoint\r\nMD5: f716b30fc3d71d5e8678cc6b81811db4\r\nSHA1: e91e4df49afa628fba1691b7c668af64ed6b0e1d\r\nSHA256:\r\n7dc25602983f7c5c3c4e81eeb1f2426587b6c1dc6627f20d51007beac840ea2b\r\nr3_iec104_control.py\r\nDecompiled\r\nPIEHOP entry\r\npoint Python\r\nscript\r\nMD5: c018c54eff8fd0b9be50b5d419d80f21\r\nSHA1: 4d7c4bc20e8c392ede2cb0cef787fe007265973b\r\nSHA256:\r\n8933477e82202de97fb41f4cbbe6af32596cec70b5b47da022046981c01506a7\r\niec104_mssql_lib.pyc\r\nPIEHOP\r\nPython\r\ncompiled\r\nbytecode\r\nMD5: adfa40d44a58e1bc909abca444f7f616\r\nSHA1: a9b5b16769f604947b9d8262841aa3082f7d71a2\r\nSHA256:\r\n182d6f5821a04028fe4b603984b4d33574b7824105142b722e318717a688969e\r\niec104_mssql_lib.py\r\nDecompiled\r\nPIEHOP\r\nPython script\r\nMD5: 2b86adb6afdfa9216ef8ec2ff4fd2558\r\nSHA1: 20c9c04a6f8b95d2f0ce596dac226d56be519571\r\nSHA256:\r\n90d96bb2aa2414a0262d38cc805122776a9405efece70beeebf3f0bcfc364c2d\r\nOT_T855_IEC104_GR.exe\r\nLIGHTWORK\r\nexecutable\r\nMD5: 7b6678a1c0000344f4faf975c0cfc43d\r\nSHA1: 6eceb78acd1066294d72fe86ed57bf43bc6de6eb\r\nSHA256:\r\n740e0d2fba550308344b2fb0e5ecfebdd09329bdcfaa909d3357ad4fe5552532\r\nTable 1: COSMICENERGY overview\r\nAppendix B: PIEHOP Technical Analysis\r\nPIEHOP (filename: r3_iec104_control.exe) (MD5: cd8f394652db3d0376ba24a990403d20) is a disruption tool written in\r\nPython and packaged with PyInstaller version 2.1+ that has the capability to connect to a user supplied remote MSSQL\r\nserver for uploading files and issuing remote commands to a RTU.\r\nhttps://www.mandiant.com/resources/blog/cosmicenergy-ot-malware-russian-response\r\nPage 5 of 10\n\nPIEHOP expects its main function to be called via another Python file, supplying either the argument control=True or\r\nupload=True . At a minimum, it requires the following arguments: oik , user , and pwd , and if called with\r\ncontrol=True , it must also be supplied with iec104 :\r\nFigure 4: PIEHOP command-line example\r\nIn the sample analyzed, PIEHOP’s entry point c018c54eff8fd0b9be50b5d419d80f21 (r3_iec104_control.py) calls PIEHOP’s\r\nmain function, supplying the argument control=True . The file c018c54eff8fd0b9be50b5d419d80f21\r\n(r3_iec104_control.py) imports the \"iec104_mssql_lib\" module, which is contained within the extracted contents as\r\nadfa40d44a58e1bc909abca444f7f616 (iec104_mssql_lib.pyc):\r\nFigure 5: PIEHOP decompiled entry point\r\n2b86adb6afdfa9216ef8ec2ff4fd2558 (iec104_mssql_lib.py) implements PIEHOP’s primary capabilities and contains many\r\ndeveloper-supplied comments for the included code. Notably, the main function contains logic flaws that cause it to only be\r\nable to connect to an MSSQL server and upload OT_T855_IEC104_GR.exe (LIGHTWORK) to it, before immediately\r\nattempting to clean itself up.\r\nIf the main function is called with upload=True only, it will only perform its cleanup routine and immediately\r\nterminate.\r\nIf the main function is called with control=True only, it will take the path that is intended for upload=True, connect\r\nto the MSSQL server and, upload OT_T855_IEC104_GR.exe .\r\nIf both upload=True and control=True are supplied to the main function, it will immediately fail due to\r\nattempting to utilize command line arguments that were not parsed yet.\r\nIf implemented correctly, PIEHOP can connect to a user supplied remote MSSQL server for uploading LIGHTWORK and\r\nissuing remote commands specifically targeting RTU, and then delete itself. PIEHOP utilizes LIGHTWORK to execute the\r\nIEC-104 commands \"ON” or \"OFF\" on the remote system and immediately deletes the executable after issuing the\r\ncommands.\r\nhttps://www.mandiant.com/resources/blog/cosmicenergy-ot-malware-russian-response\r\nPage 6 of 10\n\nFigure 6: PIEHOP main function\r\nAppendix C: LIGHTWORK Technical Analysis\r\nLIGHTWORK (filename: OT_T855_IEC104_GR.exe) (MD5: 7b6678a1c0000344f4faf975c0cfc43d) is a disruption tool\r\nwritten in C++ that implements the IEC-104 protocol to modify the state of RTUs over TCP. It crafts configurable IEC-104\r\nASDU messages, to change the state of RTU IOAs to ON or OFF. This sample works in tandem with PIEHOP, which sets\r\nup the execution. LIGHTWORK takes the following positional command line arguments:\r\n\u003cip_address\u003e \u003cport\u003e \u003ccommand\u003e [either ON (1) or OFF (0)]\r\nhttps://www.mandiant.com/resources/blog/cosmicenergy-ot-malware-russian-response\r\nPage 7 of 10\n\nFigure 7: LIGHTWORK command line example\r\nUpon execution, LIGHTWORK begins by sending a “C_IC_NA_1 – station interrogation command” to the specified target\r\nstation retrieving the status of the target station. Next, it sends a “C_SC_NA_1 – single command” to each hardcoded IOA\r\nto modify the state of the target station’s IOA (OFF or ON). Last, it sends a single “C_CS_NA_1 – clock synchronization\r\ncommand” to the target station, which synchronizes the remote station time clock with the time clock for the device issuing\r\nthe commands.\r\nIf executed successfully, LIGHTWORK provides the operator the following command-line output:\r\nFigure 9: LIGHTWORK usage output\r\nAppendix D: YARA Signatures\r\nrule M_Hunting_PyInstaller_PIEHOP_Module_Strings\r\n{\r\n meta:\r\nhttps://www.mandiant.com/resources/blog/cosmicenergy-ot-malware-russian-response\r\nPage 8 of 10\n\nauthor = \"Mandiant\"\r\n date = \"2023-04-11\"\r\n description = \"Searching for PyInstaller files with a custom Python script/module associated with PIEHOP.\"\r\n \r\n strings:\r\n $lib = \"iec104_mssql_lib\" ascii\r\n condition:\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and\r\n $lib\r\n}\r\nrule M_Hunting_Disrupt_LIGHTWORK_Strings\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Searching for strings associated with IEC-104 used in LIGHTWORK.\"\r\n date = \"2023-04-19\"\r\n \r\n strings:\r\n $s1 = \"Connecting to: %s:%i\\n\" ascii wide nocase\r\n $s2 = \"Connected!\" ascii wide nocase\r\n $s3 = \"Send control command C_SC_NA_1\" ascii wide nocase\r\n $s4 = \"Connect failed!\" ascii wide nocase\r\n $s5 = \"Send time sync command\" ascii wide nocase\r\n $s6 = \"Wait ...\" ascii wide nocase\r\n $s7 = \"exit 0\" ascii wide nocase\r\n \r\n condition:\r\n filesize \u003c 5MB and\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and\r\n all of them\r\n}\r\nAppendix E: MITRE ATT\u0026CK\r\nT1140: Deobfuscate/Decode Files or Information\r\nAdversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require\r\nseparate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing\r\nthat include built-in functionality of malware or by using utilities present on the system.\r\nT0807: Command-Line Interface\r\nAdversaries may utilize command-line interfaces (CLIs) to interact with systems and execute commands. CLIs provide a\r\nmeans of interacting with computer systems and are a common feature across many types of platforms and devices within\r\ncontrol systems environments. Adversaries may also use CLIs to install and run new software, including malicious tools that\r\nmay be installed over the course of an operation.\r\nT0809: Data Destruction\r\nhttps://www.mandiant.com/resources/blog/cosmicenergy-ot-malware-russian-response\r\nPage 9 of 10\n\nAdversaries may perform data destruction over the course of an operation. The adversary may drop or create malware, tools,\r\nor other non-native files on a target system to accomplish this, potentially leaving behind traces of malicious activities. Such\r\nnon-native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard\r\npart of the post-intrusion cleanup process.\r\nT0831: Manipulation of Control\r\nAdversaries may manipulate physical process control within the industrial environment. Methods of manipulating control\r\ncan include changes to set point values, tags, or other parameters. Adversaries may manipulate control systems devices or\r\npossibly leverage their own, to communicate with and command physical control processes. The duration of manipulation\r\nmay be temporary or longer sustained, depending on operator detection. \r\nT0855: Unauthorized Command Message\r\nAdversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their\r\nintended functionality, or without the logical preconditions to trigger their expected function. Command messages are used\r\nin ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command\r\nmessage to a control system, then it can instruct the control systems device to perform an action outside the normal bounds\r\nof the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause\r\nan Impact\r\nPosted in\r\nThreat Intelligence\r\nSource: https://www.mandiant.com/resources/blog/cosmicenergy-ot-malware-russian-response\r\nhttps://www.mandiant.com/resources/blog/cosmicenergy-ot-malware-russian-response\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.mandiant.com/resources/blog/cosmicenergy-ot-malware-russian-response" ], "report_names": [ "cosmicenergy-ot-malware-russian-response" ], "threat_actors": [ { "id": "5fb9f77b-1273-4658-884e-49f5f511dcd7", "created_at": "2022-10-25T15:50:23.591795Z", "updated_at": "2026-04-10T02:00:05.383475Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "TEMP.Veles", "XENOTIME" ], "source_name": "MITRE:TEMP.Veles", "tools": [ "Mimikatz", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "0f09b73e-caa9-40e6-bd0b-c13503e4e94c", "created_at": "2023-01-06T13:46:39.001286Z", "updated_at": "2026-04-10T02:00:03.1772Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "Xenotime", "G0088", "ATK91" ], "source_name": "MISPGALAXY:TEMP.Veles", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20012494-3f05-48ce-8c0f-92455e46a4f9", "created_at": "2022-10-25T16:07:24.319939Z", "updated_at": "2026-04-10T02:00:04.934107Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "ATK 91", "G0088", "Xenotime" ], "source_name": "ETDA:TEMP.Veles", "tools": [ "Cryptcat", "HatMan", "Mimikatz", "NetExec", "PsExec", "SecHack", "TRISIS", "TRITON", "Trisis", "Triton", "Wii" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434463, "ts_updated_at": 1775792082, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8cc013d73080b70a92fcdfff41c7728441b60ef9.pdf", "text": "https://archive.orkl.eu/8cc013d73080b70a92fcdfff41c7728441b60ef9.txt", "img": "https://archive.orkl.eu/8cc013d73080b70a92fcdfff41c7728441b60ef9.jpg" } }