Skip to main content
The Dragos Blog

06.09.23 | 1 min read

COSMICENERGY Malware Is Not an Immediate Threat to Industrial Control Systems

Dragos, Inc.

Dragos recently analyzed the new industrial control systems (ICS) malware dubbed COSMICENERGY by Mandiant on May 25, 2023. This malware, designed to target IEC 104 devices, exploits existing Microsoft SQL (MS SQL) servers that are connected to remote terminal units (RTUs). Dragos Threat Intelligence independently analyzed the malware and, counter to media headlines claiming power disruption or grid crippling abilities, concluded that COSMICENERGY is not an immediate threat to operational technology.  

Providing complete and accurate threat intelligence on threats to industrial infrastructure is part of the Dragos mission. Our expert threat intelligence team analyzes and produces technical reporting on all malware threats specific to ICS and operational technology (OT) for Dragos WorldView Threat Intelligence customers that reflects the unique realities of industrial operations. When it becomes necessary, we share what we know with the public to help the ICS/OT community assess their level of risk and implement the right mitigations. 

In our public intelligence brief, COSMICENERGY – Not an Immediate Threat, we provide an analysis of this latest malware discovery and how it compares to other more concerning threats like CRASHOVERRIDE and Industroyer2.  

A full report is available to Dragos WorldView Threat Intelligence customers. 

Our Key Findings

  • COSMICENERGY is not an immediate threat to operational technology. 
  • The overall codebase of COSMICENERGY lacks maturity, contains errors, and is far from being a full-fledged attack capability like Industroyer2 or CRASHOVERRIDE. 
  • Analysis indicates that the tool is likely part of a training exercise or for use in detection development. 
  • There is no evidence that COSMICENERGY is being deployed in the wild. 
  • Operators should reach out to vendors to see if software packages include MS SQL. 
  • Operators should ensure they have network monitoring in place, watch for xp_cmdshell alerts, and out of an abundance of caution, audit their MS SQL Servers. 

We want to help you break through the hype with actionable defensive recommendations. Download our public intelligence brief for a technical analysis of these cyber programs and their potential impacts on ICS/OT environments.

CTA Image

Get the Complete Analysis

Download our public intelligence brief for a complete technical analysis of these cyber programs and their potential impacts.

Ready to put your insights into action?

Take the next steps and contact our team today.