A cyberattack targeted a municipal energy company in Lviv [1] [7] [8], Ukraine in late January 2024, using a newly discovered malware named FrostyGoop. This incident highlights the increasing threat of cyberattacks on critical infrastructure [8].

Description

This malicious program interacted with industrial control systems (ICS) over the Modbus protocol [1], causing a two-day outage of central heating for over 600 apartment buildings [6] [8]. The attackers altered temperature readings to trick control systems into cooling the hot water running through buildings’ pipes by sending Modbus commands to ENCO controllers, resulting in system malfunctions and inaccurate measurements [1]. FrostyGoop is the ninth ICS-specific malware encountered by cybersecurity researchers and is the first to use Modbus TCP communications to sabotage OT networks. The hackers gained access to the network months before the attack by exploiting a vulnerable MikroTik router as an entry point and set up their own VPN connection into the network [9], connecting back to IP addresses in Moscow [9]. Despite the use of Russian IP addresses, no specific hacking group or government was attributed to the attack [8]. The researchers warn that the malware’s functionality is not limited to ENCO controllers and could easily be repurposed to attack other systems [1].

Conclusion

The attack on the energy provider’s networks was attributed to FrostyGoop, with attackers compromising the systems via a vulnerability in a MikroTik router and spending months preparing for the attack [7]. Dragos [2] [4] [6] [7] [8], a cybersecurity company [2], has identified FrostyGoop as a new malware targeting industrial control systems (ICS) through the Modbus communication protocol. The attack in Lviv [5] [7], Ukraine [1] [2] [3] [4] [5] [6] [7] [8] [9], resulted in over 600 apartment buildings losing heat for two days due to the malware’s interference with the industrial control systems. Dragos warns that FrostyGoop poses a global threat to similar systems and recommends continuous monitoring to detect and prevent future attacks.

References

[1] https://www.csoonline.com/article/3476858/ics-malware-frostygoop-disrupted-heating-in-ukraine-remains-threat-to-ot-worldwide.html
[2] https://www.engadget.com/russia-linked-hackers-cut-heat-to-600-ukrainian-apartment-buildings-in-the-dead-of-winter-researchers-say-171414527.html
[3] https://thehackernews.com/2024/07/new-ics-malware-frostygoop-targeting.html
[4] https://www.scmagazine.com/news/frostygoop-malware-uses-modbus-threatens-ics-systems-worldwide
[5] https://www.darkreading.com/ics-ot-security/novel-ics-malware-sabotaged-water-heating-services-in-ukraine
[6] https://www.techtarget.com/searchSecurity/news/366596552/Dragos-New-ICS-malware-FrostyGoop-abuses-Modbus
[7] https://cyberscoop.com/frostygoop-ics-malware-dragos-ukraine/
[8] https://techcrunch.com/2024/07/23/hackers-shut-down-heating-in-ukrainian-city-with-malware-researchers-say/
[9] https://www.wired.com/story/russia-ukraine-frostygoop-malware-heating-utility/