ICS malware FrostyGoop disrupted heating in Ukraine, remains threat to OT worldwide

Security researchers warn about a new malware threat designed to interact with industrial control systems (ICS) over the Modbus protocol. The malicious program was used in January in a cyberattack that left hundreds of buildings from the city of Lviv in Ukraine without central heating during freezing temperatures.

Industrial cybersecurity firm Dragos found samples of the malware in April during a routine analysis of suspicious files and dubbed it FrostyGoop. Initially the researchers thought it might have been a project someone developed for testing purposes, but later determined with moderate confidence that it was used in a real-world attack against a Ukrainian energy company.

“The Cyber Security Situation Center (CSSC), a part of the Security Service of Ukraine, shared details with Dragos relating to a cyber attack that targeted a municipal district energy company in Lviv, Ukraine,” Dragos wrote in a report released Tuesday. “During sub-zero temperatures, the attack disrupted the power supply to heating services to over 600 apartment buildings. The adversaries sent Modbus commands to ENCO controllers, causing inaccurate measurements and system malfunctions.”

The FrostyGoop sample found and analyzed by Dragos was configured to connect to an IP address corresponding to a publicly exposed ENCO controller. These specific programmable controllers are used in the management of central heating, hot water, and ventilation systems, but the researchers warn the malware’s functionality is not specific or limited to them. This means the threat can easily be repurposed to attack other controllers.

The Modbus protocol enables target diversity

FrostyGoop is the ninth known ICS-specific malware tracked by Dragos and is the first to use Modbus TCP communications to impact operational technology (OT) assets. There are many groups that target industrial organizations for the purpose of spying, but only a few that have developed malware programs with the capability to interact with industrial devices.

Some of those malware programs contain code specific to the devices they target. Stuxnet, for example, was designed to interact with the firmware of Siemens S7 programmable logic controllers (PLCs), while Trisis malware was created to disable Schneider Electric Triconex safety instrumented systems.

However, FrostyGoop takes advantage of the abstraction and interoperability offered by Modbus to read and write data to devices that support the protocol. Modbus was originally created in 1979 for Modicon PLCs but has since become an open protocol adopted by many industrial equipment manufacturers to enable communications between various types of devices.

“FrostyGoop accepts a JSON-formatted configuration file containing information used to execute Modbus commands on a target device,” the Dragos researchers wrote. “The malware reads the file, parses the JSON data, connects to the IP address from the file, and sends Modbus TCP commands to holding register addresses specified in the configuration file.”

Attacks on industrial infrastructure have been on the rise over the past few years, with threat actors looking to cause major disruption of critical infrastructure — although shifts in goals around targeting critical infrastructure have been noted as well.

Anatomy of the Ukrainian attack

In the Ukrainian attack, investigators believe that hackers broke into the district energy company’s network by exploiting a vulnerability in a Mikrotik router, with the initial access happening in April 2023. They then deployed a webshell on the router’s web server to enable remote access and tunnel into the network.

The attackers then spent time collecting information and planning the next step of their attack until December 2023 when they dropped the Security Account Manager (SAM) registry hive and extracted credentials from the system. While most of the connections to the webshell were done via the Tor anonymity network, the hackers also set up L2TP tunneling to Moscow-based IP addresses.

“The victim network assets, which consisted of a Mikrotik router, four management servers, and the district heating system controllers, were not adequately segmented within the network,” the Dragos researchers concluded. “A forensic examination during the investigation showed that the adversaries sent Modbus commands directly to the district heating system controllers from adversary hosts, facilitated by hardcoded network routes.”

The attackers chose to first downgrade the firmware on the ENCO controllers to an older version that lacked monitoring capabilities that the target organization was using. They then sent commands that led to the controllers reporting inaccurate measurements, which caused the heating system to stop. Recovering from the disruption took almost two days while thousands of families had to endure sub-zero temperatures.

“This represents a significant risk to the integrity and functionality of ICS devices, with potentially far-reaching consequences for industrial operations and public safety,” the Dragos researchers wrote. “The attack’s involvement of internet-exposed controllers and insufficient network segmentation highlights the risks of not implementing basic cybersecurity controls and the importance of doing so. Currently, over 46,000 internet-exposed ICS devices communicate over Modbus around the world.”

Moreover, many ICS flaws remain unpatched providing further challenges for OT defense. A 2023 analysis of ICS CVEs found more than a third having no patch available.