Researchers at Dragos have uncovered a new and dangerous piece of malware, FrostyGoop, that was linked to an attack in January 2024 that disrupted heating services in 600 apartment buildings in Lviv, Ukraine. The attack occurred during sub-zero temperatures, emphasizing the critical nature of the malware’s capabilities. FrostyGoop is the first malware known to enable threat actors to directly interact with operational technology (OT) systems via Modbus, a widely utilized communication protocol in industrial control systems (ICS) environments.
According to a report by Dragos, FrostyGoop poses a significant threat as it allows adversaries to target a wide range of ICS systems using Modbus for communications. With approximately 46,000 Internet-exposed ICS devices currently communicating over the protocol, the potential for widespread attacks is alarming. FrostyGoop is only the ninth malicious tool specifically designed to target ICS environments, highlighting the evolving landscape of cyber threats in critical infrastructure.
The discovery of FrostyGoop came about when Dragos researchers encountered the malware in April 2024 during routine file analysis. Initially believed to be in a testing stage, the assessment changed when details of the January 2024 attack on the district energy company in Lviv were shared by Ukraine’s Cyber Security Situation Center (CSSC).
FrostyGoop, written in Golang and compiled for Windows, enables attackers to manipulate ICS devices using Modbus TCP on port 502. By altering inputs, outputs, and configuration data in device-holding registers, attackers can disrupt the operations of industrial systems. The recent cyberattack in Ukraine used FrostyGoop to manipulate heating system controllers, resulting in inaccurate measurements and system malfunctions that left residents without hot water for nearly two days.
The lack of network segmentation at the targeted energy company allowed the attackers to pivot through multiple servers and eventually compromise the heating system controllers. By downgrading the firmware on the controllers to an unsupported version, the adversaries caused the systems to malfunction, resulting in disrupted services for customers.
Despite Dragos’s efforts to investigate the attack, the threat actors behind FrostyGoop remain unidentified. However, the use of cyber means to disrupt essential services in Ukraine instead of kinetic attacks suggests a strategic shift in tactics. Dragos emphasizes the importance of implementing security measures such as network segmentation, continuous monitoring, secure remote access, vulnerability management, and robust incident response capabilities to protect against similar threats.
In a landscape where ICS-specific malware is becoming more prevalent, the necessity for proactive defense measures has never been clearer. FrostyGoop joins the ranks of notorious malware like Stuxnet, Industroyer/CrashOverride, and Havex, which have been used in targeted attacks on critical infrastructure worldwide. As cyber threats continue to evolve, organizations must remain vigilant and prioritize security to safeguard against potential cyberattacks on industrial systems.