Cybersecurity firm Dragos has detected malware that can attack industrial control systems (ICS), tricking them into adopting malicious behaviour, such as turning off heating and hot water in the middle of winter. TechnologyCrunch reports That's precisely what the malware, dubbed FrostyGoop, did in January in Lviv, Ukraine, when residents of more than 600 apartment buildings were left without heat for two days due to freezing temperatures.
dragon trees says FrostyGoop is the ninth known malware designed to attack industrial controllers. It is also the first to specifically target Modbus, a widely used communications protocol that was invented in 1979. Modbus is frequently used in industrial environments like the one in Ukraine that FrostyGoop attacked in January.
From Ukraine Cyber Security Situation Center (CSSC), the country’s government agency in charge of digital security, shared information about the attack with Dragos after discovering the malware in April this year, months after the attack. The malicious code, written in Golang (the Go programming language designed by Google), interacts directly with industrial control systems through an open Internet port (502).
The attackers likely gained access to the Lviv industrial network in April 2023. Dragos claims they did so by “exploiting an undetermined vulnerability in an external Mikrotik router.” They then installed a remote access tool that bypassed the need to install the malware locally, helping it avoid detection.
The attackers downgraded the controller firmware to a version that lacked monitoring capabilities, which helped hide their tracks. Rather than trying to take down the systems entirely, the hackers caused the controllers to report inaccurate measurements, leading to heat loss in the middle of a deep freeze.
Dragos has long maintained a policy of neutrality regarding cyberattacks, preferring to focus on education without assigning blame. However, he noted that the adversaries opened secure connections (using a layer-two tunneling protocol) to IP addresses based in Moscow.
“I think it's largely a psychological effort, facilitated through cyber means when kinetic was perhaps not the best option,” said Dragos investigator Mark “Magpie” Graham. TechnologyCrunchLviv is in the western part of Ukraine, so it would be much more difficult for Russia to attack it than the eastern cities.
Dragos warns that given the ubiquity of the Modbus protocol in industrial environments, FrostyGoop could be used to disrupt similar systems around the world. The security firm recommends continuous monitoring and notes that FrostyGoop evaded virus detection, underscoring the need to monitor the network to detect future threats before they strike. Specifically, Dragos advises ICS operators to use SANS’ 5 Critical Controls for World-Class OT Cybersecurity, a security framework for operational environments.
