Industrial cybersecurity firm Dragos has shared details on FrostyGoop, a recently discovered piece of malware designed to target industrial control systems (ICS).
FrostyGoop was used in January 2024 in an attack that disrupted systems at a municipal district energy company in the Ukrainian city of Lviv. The targeted facility provides central heating services to 600 apartment buildings in the Lviv metropolitan area and the attack resulted in loss of heating for residents.
“Remediation of the incident took almost two days, during which time the civilian population had to endure sub-zero temperatures,” Dragos said on Tuesday.
The security firm started analyzing the FrostyGoop ICS malware in April 2024, initially believing that it had been used for testing purposes. However, it later learned from the Cyber Security Situation Center (CSSC) of the Security Service of Ukraine that it was actually used in a disruptive attack.
According to Dragos, the attackers gained access to the targeted energy facility’s systems in April 2023, likely by exploiting an undetermined vulnerability in an internet-exposed Mikrotik router. There was no network segmentation in place, giving the attackers easy access to other systems.
Later that month, the hackers deployed a webshell, but then apparently took a break until November, when they obtained user credentials from the SAM registry hive. In December, they again attempted to obtain credentials, and on January 22, 2024, they initiated the disruptive attack.
Dragos said the threat actor sent commands over the Modbus industrial communication protocol to controllers in the targeted facility. The commands were sent directly to ENCO controllers from the adversary’s hosts.
The attackers downgraded the firmware on the targeted controllers to a version that lacked monitoring capabilities, which prevented the facility’s operators from seeing what was going on. The hackers then caused the controllers to report inaccurate measurements — specifically that water was hot when in fact it was cold — which resulted in water no longer being heated and cold water being pumped to residential buildings. The threat actor did not attempt to destroy the controllers, Dragos said.
FrostyGoop facilitated the attack because it is capable of directly interacting with ICS using Modbus over port 502. This is the first ICS-specific malware that uses Modbus to cause an impact to operational technology (OT).
“FrostyGoop functionality uses the Modbus protocol generically, meaning it could affect many devices,” Dragos warned. “The associated FrostyGoop configuration file contained an IP address belonging to an ENCO control device exposed on the Internet, which leads Dragos to assess with medium confidence that before this attack, FrostyGoop was used to target one or more ENCO controllers where TCP port 502 was Internet accessible.”
ENCO controllers are mainly deployed in Eastern Europe, including Ukraine, Romania and Lithuania. However, Modbus is used worldwide and there are roughly 46,000 internet-exposed ICS devices that communicate over this protocol.
“FrostyGoop’s ability to communicate with ICS devices via Modbus TCP threatens critical infrastructure across multiple sectors. Given the ubiquity of the Modbus protocol in industrial environments, this malware can potentially cause disruptions across all industrial sectors by interacting with legacy and modern systems,” Dragos said.
FrostyGoop is the ninth ICS malware discovered to date, after Trisis (Triton), CrashOverride (Industroyer), BlackEnergy2, Havex, Stuxnet, Industroyer2, PipeDream, and Fuxnet.
Dragos has not attributed the attack to any country or known threat actor. The company did, however, point out that there were connections to a couple of Moscow-based IP addresses during the attack in January.
Russian state-sponsored threat actors have been known to target Ukraine’s energy sector, even before the war started. In 2015 and 2016, Russia-linked hackers caused power outages in Ukraine in attacks involving malware.
Not all of Russia’s attacks on Ukraine’s energy sector involved malware. In attacks observed last year by Mandiant, which caused an unplanned power outage that coincided with mass missile strikes on Ukrainian critical infrastructure, threat actors used OT-level living-off-the-land techniques to trip substation circuit breakers.
Both Russian and Ukrainian groups appear to be developing ICS malware. Ukrainian hackers recently claimed to have used a piece of malware named Fuxnet to target Russian infrastructure.
Last year, researchers discovered a Russia-linked ICS malware named CosmicEnergy, but the variant analyzed at the time did not pose an immediate threat to OT as it contained errors and lacked maturity.
Related: Remote Stuxnet-Style Attack Possible With Web-Based PLC Malware
Related: Omron Patches PLC, Engineering Software Flaws Discovered During ICS Malware Analysis
