Adrian Johnson
TLDR:
- Novel ICS malware named FrostyGoop disrupted heating services in Ukraine
- Made it possible for threat actors to interact directly with operational technology systems via Modbus protocol
Researchers discovered FrostyGoop, a new piece of malware that targeted industrial control systems, leading to a disruption in heating services in Ukraine in January 2024. This malware is the first of its kind that allows threat actors to communicate directly with operational technology systems through the widely used Modbus protocol. The attack specifically targeted a district energy company in Lviv, resulting in nearly 600 apartment buildings losing heat during sub-zero temperatures. FrostyGoop allowed attackers to manipulate and send unauthorized commands to the ICS devices, causing disruptions in the heating system.
Key Points:
Researchers identified FrostyGoop as the first ICS malware that communicates via Modbus protocol
The attack in Ukraine disrupted heating services in 600 buildings, causing significant inconvenience
FrostyGoop allowed attackers to interact directly with operational technology systems, highlighting the potential risks for ICS environments
The malware was used to trigger inaccurate measurements in the heating system controllers, resulting in cold water being pumped to apartments
Full Article:
Researchers discovered a novel ICS malware named FrostyGoop that sabotaged water-heating services in Ukraine by targeting industrial control systems through the Modbus protocol. This attack, which occurred in January 2024, disrupted heating services in nearly 600 apartment buildings in Lviv, leading to cold water being pumped to residents during sub-zero temperatures. FrostyGoop allowed threat actors to interact directly with operational technology systems, posing a significant risk to ICS environments.
The malware, written in Golang and compiled for Windows, enabled attackers to manipulate inputs, outputs, and configuration data in ICS devices through Modbus TCP over port 502. By sending unauthorized commands to victim systems, the attackers were able to cause inaccurate measurements and system malfunctions in the heating controllers, resulting in a loss of heating for customers. The incident response team had to work for nearly two days to rectify the issue and restore the hot water supply.
Dragos researchers recommended implementing network segmentation, continuous monitoring, secure remote access, risk-based vulnerability management, and strong incident response capabilities to protect ICS environments from such malware attacks. The lack of network segmentation allowed the threat actors to move laterally in the energy company’s network, eventually reaching the heating system controllers and causing disruptions without destroying the controllers themselves. FrostyGoop poses a serious threat to industrial operations and public safety, signaling the importance of securing ICS environments against such attacks.
