Piehop

Piehop is a malicious software (malware) component used in tandem with another malware component known as LightWork. These tools were developed by the threat actor group CosmicEnergy, according to cybersecurity firm Mandiant. Piehop, written in Python, connects to a remote Microsoft SQL Server (MSSQL) to upload files and issue remote commands to Remote Terminal Units (RTUs). Meanwhile, LightWork, written in C++, implements the IEC-104 protocol over TCP to modify the state of RTUs. These two components together form a potent tool for cyberattacks, capable of causing significant disruption. The operational capabilities of these malware components, however, were initially compromised due to programming errors. Mandiant's analysis revealed that the sample of Piehop they obtained was riddled with programming logic errors that prevented it from successfully performing its IEC-104 control capabilities. Despite this, Mandiant believes these errors are easily correctable. On the other hand, LightWork was found to be functioning correctly, modifying the state of RTUs over TCP as intended. The combined use of Piehop and LightWork allows the malware to send remote commands that can affect the actuation of power line switches and circuit breakers, potentially leading to power disruptions. Specifically, Piehop uses LightWork to issue 'ON' or 'OFF' commands to the remote system before immediately deleting the executable after issuing the command. This novel malware's ability to leverage access to cause widespread disruption underscores the increasing sophistication of cyber threats and the importance of robust cybersecurity measures.