Cybersecurity company Dragos has identified malware that can attack industrial control systems (ICS) and cause them to behave maliciously, such as turning off heat and hot water in the middle of winter. TechCrunch reports A malware called FrostyGoop did just that in January of this year when residents of more than 600 apartment buildings in Lviv, Ukraine, were left without heat for two days during freezing weather.
Dragos he says FrostyGoop is only the ninth known malware designed to target industrial controllers. It is also the first company to focus exclusively on Modbus, a widely used communication protocol invented in 1979. Modbus is often used in industrial environments, like the one in Ukraine that FrostyGoop attacked in January.
of Ukraine Cyber Security Situation Center The country’s digital security agency (CSSC) shared information about the attack with Dragos after it discovered the malware in April this year, months after the attack. Malicious code written in Golang (The Switch to programming language developed by Google), directly interacts with industrial control systems over an open internet port (502).
Attackers likely broke into Lviv’s industrial network in April 2023. Dragos says they did this by “exploiting an unspecified vulnerability in an externally facing Mikrotik router.” They then installed a remote access tool that eliminated the need to install the malware locally, preventing detection.
Attackers helped cover their tracks by downgrading the controller’s software to a version without monitoring capabilities. Instead of trying to disable the systems entirely, the hackers caused the controllers to report inaccurate measurements — resulting in heat loss in the middle of a deep freeze.
Dragos has a long-standing policy of neutrality on cyberattacks, preferring to focus on education rather than blame. However, he noted that the adversaries had opened secure connections (using Layer 2 tunneling protocol) to Moscow-based IP addresses.
“I think the kinetic here is a very psychological effort facilitated by cyber means when perhaps it’s not the best option,” Dragos researcher Mark “Magpie” Graham said. TechCrunch. Lviv is in the western part of Ukraine and it will be more difficult for Russia than the eastern cities.
Dragos warns that given how widespread the Modbus protocol is in industrial environments, FrostyGoop could be used to disrupt similar systems around the world. The security company recommends continuous monitoring, noting that FrostyGoop evades virus detection, emphasizing the need for network monitoring to catch future threats before they strike. In particular, Dragos recommends that ICS operators use SANS 5 Critical Management for World-Class OT Cybersecurity, a security framework for their operational environments.
