Piehop

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
Piehop is a malicious software (malware) component used in tandem with another malware component known as LightWork. These tools were developed by the threat actor group CosmicEnergy, according to cybersecurity firm Mandiant. Piehop, written in Python, connects to a remote Microsoft SQL Server (MSSQL) to upload files and issue remote commands to Remote Terminal Units (RTUs). Meanwhile, LightWork, written in C++, implements the IEC-104 protocol over TCP to modify the state of RTUs. These two components together form a potent tool for cyberattacks, capable of causing significant disruption. The operational capabilities of these malware components, however, were initially compromised due to programming errors. Mandiant's analysis revealed that the sample of Piehop they obtained was riddled with programming logic errors that prevented it from successfully performing its IEC-104 control capabilities. Despite this, Mandiant believes these errors are easily correctable. On the other hand, LightWork was found to be functioning correctly, modifying the state of RTUs over TCP as intended. The combined use of Piehop and LightWork allows the malware to send remote commands that can affect the actuation of power line switches and circuit breakers, potentially leading to power disruptions. Specifically, Piehop uses LightWork to issue 'ON' or 'OFF' commands to the remote system before immediately deleting the executable after issuing the command. This novel malware's ability to leverage access to cause widespread disruption underscores the increasing sophistication of cyber threats and the importance of robust cybersecurity measures.
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Cosmicenergy
1
CosmicEnergy is a form of malware allegedly originating from Russia that targets industrial control systems, specifically those associated with electrical grids. Unlike other forms of malware, CosmicEnergy lacks the built-in functionality to autonomously discover and identify target systems within a
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Mandiant
Dragos
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
LightworkUnspecified
1
Lightwork is a disruptive malware tool written in C++, designed to manipulate the state of Remote Terminal Units (RTUs) over TCP using the IEC-104 protocol. It operates alongside another component called Piehop, both of which are part of a new malware system known as CosmicEnergy. According to cyber
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Piehop Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
6 months ago
Analysis of OT cyberattacks and malwares
CERT-EU
a year ago
CosmicEnergy’s threat to critical infrastructure in dispute
CERT-EU
a year ago
CosmicEnergy ICS Malware Poses No Immediate Threat, but Should Not Be Ignored
CERT-EU
a year ago
COSMICENERGY Malware May be Artifact of Russian Emergency Response Exercises