Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.
Below: Pegasus spyware was detected for the first time in an international conflict, and the U.S. Army has a proposition for AI supply chains. First:
Russia-connected CosmicEnergy discovery adds to disturbing trend of malware that can do physical damage
Researchers have discovered a Russia-linked malware strain that they say is designed to disrupt electrical power generation and capable of causing physical harm.
Dubbed “CosmicEnergy,” the malware specializes in targeting operational technology (OT) that monitors or controls industrial systems, according to researchers at Mandiant, which is owned by Google.
The discovery adds to a small but growing catalogue of malware capable of triggering physical impacts, “which are rarely discovered or disclosed,” Mandiant said in a blog post Thursday.
It’s but one of the oddities about the strain of malware.
One of those oddities is that Mandiant found CosmicEnergy on VirusTotal, a popular Google-owned site that lets users submit malware for analysis, instead of while analyzing an attack. A submitter from Russia put it on VirusTotal in December 2021.
Another oddity is that it looks as though developers might have originally conceived it as a cybersecurity testing tool.
“What makes COSMICENERGY unique is that based on our analysis, a contractor may have developed it as a red teaming tool for simulated power disruption exercises hosted by Rostelecom-Solar, a Russian cyber security company,” Mandiant said in its blog post. (“Red teams” at companies play the role of the attackers in testing scenarios, and “blue teams” act as defenders.) Rostelecom is a major Russian digital services provider.
It’s also possible, however, that someone developed CosmicEnergy with malicious intentions, Mandiant said.
It’s unclear why someone would upload CosmicEnergy to VirusTotal.
“Threat actors sometimes upload the files themselves to determine anti-virus detection rates so they can get a sense of how stealthy the malware is,” Keith Lunden, Mandiant analysis manager at Google Cloud, said in an emailed statement. “It’s possible the internal cyber security team at the malware developer’s company uploaded the malware by mistake as a security precaution. It’s also possible that a blue teamer uploaded it during an emergency response exercise in which it was deployed.”
Because of how ComicEneregy was developed, Mandiant is troubled.
“The discovery of COSMICENERGY illustrates that the barriers to entry for developing offensive OT capabilities are lowering as actors leverage knowledge from prior attacks to develop new malware,” the blog post states. “Given that threat actors use red team tools and public exploitation frameworks for targeted threat activity in the wild, we believe COSMICENERGY poses a plausible threat to affected electric grid assets.”
It’s also unclear who else might have had access to CosmicEnergy.
“It is possible that other participants have obtained this malware as part of an emergency response exercise,” Lunden told me. “We are also aware of instances in which the Russian Government has leveraged contractors to develop malware for them. We don’t have direct evidence in this instance, but it is a distinct possibility.”
Inner workings and trends
One shortcoming of the malware, though, is that it has no discovery capabilities of its own, meaning hackers using it would have to do their own reconnaissance to obtain things like IP addresses, according to Mandiant.
But CosmicEnergy is also “surprisingly simple,” Christian Vasquez of CyberScoop wrote, paraphrasing Mandiant analyst Daniel Zafra. One reason is because it’s written in an easy-to-learn programming language.
Mandiant said CosmicEnergy’s capabilities are similar to that of the Industroyer malware and a variant, Industroyer2.
- Industroyer was used in a 2016 attack in Ukraine that knocked out power in parts of Kyiv for an hour.
- An Industroyer2 attack on Ukraine at the start of the Russian invasion was thwarted.
- Russian hackers are believed to be behind both attacks, and for developing the destructive operational technology malware Trisis.
- But Russia isn’t the only nation to develop malware capable of causing ramifications in the physical world. The United States and Israel reportedly collaborated to create Stuxnet, which destroyed Iranian nuclear centrifuges more than a decade ago.
The emergence of CosmicEnergy points to a disturbing trend, said Dave DeWalt, founder and managing director of the cybersecurity-focused venture capital firm NightDragon.
“You have all this cyber-meets-physical and then physical-meets-cyber convergence, which is creating another level of danger,” DeWalt said.
- The potential for physical harm is levels “higher than espionage or crime,” he said. “This is warfare elements.”
- “There’s a lot of motivation now. There’s a lot of capability now,” DeWalt said. “And now the areas that we’re targeting are of serious consequence.”
NSO’s Pegasus reportedly used to target Armenians, marking first documented use of spyware in international conflict
The Pegasus spyware tool made by Israel’s NSO Group was used in a two-year spying campaign against prominent journalists, activists and officials in Armenia, Ryan Gallagher reports for Bloomberg News. The findings — from Access Now, Amnesty International, the University of Toronto’s Citizen Lab, and Armenia’s CyberHUB-AM — mark the first documented case of the spyware being used in an international war, Gallagher writes.
- Gallagher writes: “The researchers said they couldn’t conclusively determine which of NSO’s government customers had deployed the spyware. There was ‘substantial evidence’ that Azerbaijan is a Pegasus customer, they said.”
- Israel and Azerbaijan have worked to strengthen relations in recent months, the Jerusalem Post previously reported.
- “The targeting of Armenian victims often occurred shortly before or during outbreaks of the long-running conflict between Azerbaijan and Armenia over the disputed border region of Nagorno-Karabakh,” Gallagher wrote.
“With NSO Group and the spyware industry operating with little constraints or oversight, it was only a matter of time until we saw these technologies used in a brutal international military conflict,” said Natalia Krapiva, tech-legal counsel at Access Now.
- NSO told Bloomberg News that it could not address specific allegations because “as always, these groups refuse to share their reports” with the company.
- Azerbaijan’s foreign ministry didn’t respond to the outlet’s request for comment.
Portugal’s government lays groundwork for potential Huawei restrictions
The Portuguese government’s cybersecurity council laid out a plan for restricting “high risk” equipment from being used in the country’s 5G network, the Financial Times’s Anna Gross and Barney Jopson report. Such a move could deal a blow for Huawei, which has faced bans across Europe.
“The UK, Denmark, Sweden, Estonia, Latvia and Lithuania have banned Huawei from their 5G network build,” Gross and Jopson write. “This year, Germany said it was reviewing the use of Chinese components in its 5G network and investigating whether a change in the law would be required.”
- Portugal had previously pushed back against a U.S. push to limit Huawei in the country.
- The government panel’s document “outlines plans to exclude or apply restrictions on the use of equipment deemed high risk in its 5G network, but does not have any immediate effect because it would need to be approved by the cabinet, which oversees the cyber security council,” Gross and Jopson write.
In response, Huawei told the FT that it was aware of the government statement and is gathering additional information. The company told the FT that it “has no prior knowledge of, and hasn’t been consulted about, this matter.” The company also told the outlet that “Over the past two decades, Huawei has worked with Portuguese carriers to build out wireless networks and provide quality services that connect millions of people. We will continue to comply with all applicable laws and regulations, and serve Portuguese customers and partners who rely on our products and services.”
U.S. Army exploring development of ‘AI BOMs’ for detecting cyber vulnerabilities
The U.S. Army is exploring the possibility of asking commercial entities to provide an artificial intelligence bill of materials (BOM) in the same vein as software bills of materials (SBOM) that are used to present an ingredient list of software components, Mark Pomerleau reports for DefenseScoop.
- “We’re toying with the notion of an AI BOM [program]. That’s because really, we’re looking at things from a risk perspective. Just like we’re securing our supply chain, semiconductors, components, subcomponents, we’re also thinking about that from a digital perspective,” Young Bang, principal deputy assistant secretary of the Army for acquisition, logistics and technology, said at a Thursday event.
The Army could face challenges in inadvertently probing intellectual property (IP) of vendors when they enable the United States to see how their algorithms behave, the report said, though Bang said the Army is not seeking to gain access to IP.
- Bang held a roundtable with AI companies to discuss the concept, DefenseScoop adds.
SBOMs have been a contested area of cybersecurity policy. While they are viewed as helpful for understanding the anatomy of a software product and detecting its potential vulnerabilities, some argue that instituting SBOMs in reports is cumbersome. Lawmakers notably excluded an SBOM proposal from last year’s defense policy bill.
The strange story of the teens behind the Mirai Botnet (IEEE Spectrum)
DHS’s cyber agency seeks small biz support for strategic planning (FCW)
House Energy and Commerce approves electric sector incident reporting bill amid concerns over duplication (Inside Cybersecurity)
House passes bill to permanently authorize VA’s tech training program (Nextgov)
Microsoft won over Washington. A new AI debate tests its president. (Cat Zakrzewski)
Cybersecurity chiefs navigate AI risks and potential rewards (Wall Street Journal)
Brazilian hackers targeting users of over 30 Portuguese banks (The Hacker News)
AI rules ‘cannot be bargained’, EU’s Breton says after OpenAI CEO threat (Reuters)
As GCHQ’s new director takes office this week, she faces a personnel challenge (The Record)
Microsoft 365 phishing attacks use encrypted RPMSG messages (Bleeping Computer)
FBI investigating cyber attack on City of Augusta (Fox 54 Wayne County)
A popular password hashing algorithm starts its long goodbye (Wired)
- The Atlantic Council and the Swedish Embassy convene a discussion on disinformation at 9 a.m.
Thanks for reading. See you next week.