A cybersecurity firm, Dragos, has identified malware capable of deceiving industrial control systems (ICS), potentially inducing harmful actions such as shutting down heating and hot water supplies during winter. Malicious software, known as FrostyGoop, wreaked havoc on Lviv, Ukraine’s housing sector in January, leaving more than 600 condominium building residents without heat for two days amidst subfreezing temperatures.
The Dragos FrostyGoop malware has been identified as the ninth known threat specifically targeting industrial control systems (ICS). The first to specifically focus on Modbus, a widely-used communication protocol since its inception in 1979? Modbus has been consistently employed in industrial settings, such as those affected by the January attack on a Ukrainian facility by FrostyGoop.
Ukraine’s Computer Emergency Response Team (CERT-UA), the country’s official authority on digital security, revealed details of the attack to Dragos following its discovery in April of this year – several months after the incident occurred. Malicious code, crafted in Golang – a language developed by Google – swiftly communicates with industrial control systems through an open web port (specifically, Port 502).
Attackers successfully breached Lviv’s industrial complex in April 2023, gaining unauthorised access. According to Dragos, the attackers exploited an unspecified vulnerability in the external-facing Mikrotik router, allowing them to remotely install a backdoor that eliminated the need for local installation, thereby reducing the likelihood of detection.
The attackers exploited a vulnerability to downgrade the controller’s firmware to an older version lacking essential monitoring capabilities, effectively masking their digital footprints. Instead of dismantling the systems entirely, the hackers coaxed the controllers into providing false readings, ultimately leading to the absence of heat during an extreme cold spell.
Dragos has long maintained a commitment to neutrality when addressing cyberattacks, focusing instead on education and analysis without attributing culpability. Notwithstanding their notoriety, it was reported that attackers established secure links (employing Layer Two Tunneling Protocol) with IP addresses based in Moscow.
Dragos researcher Mark “Magpie” Graham noted, “It’s a significant psychological effort, enabled by cyber means, which may not have been the only option had it been kinetic here.” Located in western Ukraine, Lviv would present a more challenging target for Russian aggression compared to cities in eastern Ukraine.
With the pervasive nature of Modbus in industrial settings, Dragos cautions that a successful exploitation of FrostyGoop could have far-reaching consequences for global industrial control systems. The safety firm stresses the importance of constant surveillance, as FrostyGoop’s ability to evade viral detection highlights the need for community vigilance to identify potential risks before they materialise. Dragos recommends that ICS operators leverage the SANS Institute’s 5 Critical Security Controls for achieving world-class OT cybersecurity best practices in industrial control systems environments.
