Russian IP address uploaded malware targeting critical infrastructure, Mandiant reports

The malware has not been employed in any cyberattacks so far.

 Game, Toy

Mandiant security researchers report that on 21 December, an unidentified user from a Russian IP address uploaded a perplexing malware onto Google’s VirusTotal, a virus scanning service. Researchers note that this malware is specifically engineered to disrupt and inflict harm upon critical infrastructure systems, including power grids.

Mandiant has labelled this malware as CosmicEnergy, noting its resemblance to Industroyer, a tool previously employed by Russia to target Ukraine’s energy infrastructure in 2022 and 2016.

The researchers at Mandiant have suggested that CosmicEnergy has connections to Russia. Within the code, they discovered a comment linking it to a project called ‘Solar Polygon’, organized by Rostelecom, Russia’s largest telecommunications company, focusing on training cybersecurity specialists.

While researchers currently lack sufficient evidence to determine the exact origin or purpose of CosmicEnergy, the discovery is worrisome due to the potential for hackers to repurpose the malware and direct it toward existing critical infrastructure facilities. As of now, CosmicEnergy has not been employed in any cyberattacks.