Detail

According to the report, the FrostyGoop malware can attack industrial control systems (ICS), causing them to malfunction, for example, before turning off the heat and hot water in the middle of winter. Experts claim that this is exactly what happened in January 2024, when more than 600 residents of apartments in Lviv were left without heating for two days against the background of freezing temperatures.

Dragos says so FrostyGoop is the ninth known malware designed to attack industrial controllersIt is also the first program to specifically target Modbus, a widely used communications protocol invented in 1979. Modbus is frequently used in industrial environments, including Ukraine.

The Ukrainian Cybersecurity Situation Center shared information about the attack with Dragos in April after first discovering the malware. The code, Written in Golang (Go programming language developed by Google) interacts directly with industrial control systems through an open Internet port (502).

• The analysis showed that Attackers likely gained access to Lviv’s industrial network as early as April 2023.
• Dragos says they did this by “exploiting an unspecified vulnerability in an external Mikrotik router.”
• They then installed a remote access tool that eliminated the need to install the malware locally, preventing it from being detected.
• The attackers updated the controller’s firmware to a version that lacked tracking capabilities, helping them cover their tracks.
• Rather than disabling the systems, the hackers caused the controllers to report faulty readings, resulting in heat loss amid the freezing cold.

The traces of this cyberattack, as stated, lead to “Moscow IP addresses.” The company warns that FrostyGoop could be used to disable similar systems around the world, given how prevalent the Modbus protocol is in the industrial environment.