Lightwork

Lightwork is a disruptive malware tool written in C++, designed to manipulate the state of Remote Terminal Units (RTUs) over TCP using the IEC-104 protocol. It operates alongside another component called Piehop, both of which are part of a new malware system known as CosmicEnergy. According to cybersecurity firm Mandiant, CosmicEnergy manipulates RTUs by leveraging these two derivative components. While the sample of Piehop obtained was riddled with programming logic errors that hinder its IEC-104 control capabilities, Mandiant believes these issues can be easily rectified. Lightwork, on the other hand, requires more development maturity before it becomes a full-fledged IEC104 attack capability. The malware system functions by having Piehop connect to a specified remote MSSQL server for uploading files and issuing remote commands to an RTU using Lightwork. Lightwork then implements the IEC-104 protocol to modify the RTU state to 'on' or 'off'. However, the operator likely needs to perform internal reconnaissance to obtain environmental information, such as MSSQL server IP addresses and credentials, as CosmicEnergy lacks discovery capabilities. Additionally, Lightwork was hard-coded to affect a specific IEC 104 network configuration, unlike Industroyer and Industroyer2, which had adaptable configuration formats. Despite these functionalities, cybersecurity firm Dragos does not see Lightwork as an immediate threat. This is due to the fact that Lightwork was compiled with symbol information, enabling researchers to decompile the function and argument names used in the malware code. Furthermore, Dragos concluded that Lightwork was not a variant of the other two tools, Industroyer and Industroyer2, as they used a custom IEC 104 library while Lightwork did not. Hence, while Lightwork has demonstrated potential for disruption, it still requires further development to pose a significant threat.