Dragos, a cybersecurity vendor, recently revealed the existence of a new industrial control system-specific malware called FrostyGoop. This malware has the capability to disrupt critical infrastructure targets across various sectors, marking it as the ninth ICS malware tracked by Dragos. Unlike its predecessors, FrostyGoop is unique in that it can impact operational technology (OT) through the use of the Modbus communication protocol.
This discovery was made in April by Dragos researchers, who highlighted the significance of FrostyGoop’s ability to communicate with ICS devices via Modbus TCP. This poses a serious threat to critical infrastructure in multiple sectors, as demonstrated by a recent cyber-attack on a Ukrainian energy company. During this attack, a disruption was carried out against a municipal district energy company in Lviv, Ukraine, resulting in nearly two days of remediation and discomfort for the local population due to sub-zero temperatures.
While the specific attribution of FrostyGoop to a threat group or nation remains unclear, it is worth noting that Ukraine has been targeted by cyberattacks from Russian state-sponsored groups in the past. The FrostyGoop malware exploits the Modbus protocol to infiltrate and disrupt ICS devices, with the ability to execute commands and impact various installations. Notably, FrostyGoop is not currently detected by antivirus vendors, making it a potent and stealthy threat.
Despite initial assessments suggesting FrostyGoop may have been used for testing purposes, the confirmation of its involvement in the Ukrainian energy company attack changed this perspective. The malware’s functionality extends beyond ENCO control devices and can impact any ICS device communicating over Modbus TCP. This highlights the broader implications of FrostyGoop’s capabilities and underscores the need for heightened cybersecurity measures in critical infrastructure sectors.
In a recent press briefing, Dragos experts highlighted the increasing trend of adversary-developed OT exploits and the challenges posed by malware like FrostyGoop. Mark Graham, principal adversary hunter technical director at Dragos, emphasized the growing accessibility of OT environments via the open internet, raising concerns about potential vulnerabilities and attacks. Phil Tonkin, Dragos field CTO, pointed out the widespread use of the Modbus protocol in OT systems, underscoring the difficulty of detecting and mitigating threats like FrostyGoop due to its pervasive nature.
To address the threat posed by FrostyGoop, Dragos has updated its OT Watch platform to detect indicators of compromise associated with the malware. Organizations are advised to monitor their ICS and OT systems for unauthorized access and anomalous Modbus traffic patterns over Port 502. By remaining vigilant and implementing proactive security measures, businesses can better defend against emerging threats like FrostyGoop and safeguard their critical infrastructure from potential cyberattacks.
As the cybersecurity landscape continues to evolve, it is crucial for organizations to stay informed about the latest threats and vulnerabilities facing their systems. By working together to enhance cybersecurity measures and prioritize the protection of critical infrastructure, businesses can mitigate risks and ensure the resilience of their operations in the face of escalating cyber threats.