Priya PatelTLDR:
- FrostyGoop malware disrupted central heating in Ukraine, leaving residents without heat for 2 days.
- The malware targeted temperature controllers using the Modbus protocol, affecting more than 600 apartment buildings.
In a cyberattack against a district energy company in Lviv, Ukraine, a previously unseen malware called FrostyGoop was used to disrupt industrial processes, resulting in a two-day outage of central heating for hundreds of residents during sub-zero temperatures in January 2024. The attack targeted temperature controllers supplied by a municipal district energy company to more than 600 apartment buildings. The malware altered values on controllers, tricking them into thinking the temperature was higher than actual, causing the system to pump cold water instead of heated water into the buildings, leaving residents without heat and hot water. Dragos, a defense vendor, reported that FrostyGoop is the first to use the Modbus protocol to affect industrial control systems directly and is only the ninth malware found to target ICS devices. Multiple FrostyGoop binaries were discovered in April, coded in Golang for Windows systems and communicating with industrial control systems via Modbus TCP over port 502.
Due to the widespread use of the Modbus protocol in operational technology environments, with little to no authentication mechanisms, the malware has the potential to cause significant disruption across various sectors globally. FrostyGoop can send commands and read/write data to ICS devices using Modbus, with configuration files specifying targets and execution times. The attack on Ukraine’s energy provider, which allowed attackers remote access through an exploited vulnerability in a Mikrotik router, serves as a cautionary tale for securing OT environments. Less than 5% of OT networks are continuously monitored, highlighting the need for improved visibility and security measures in industrial control systems. Necessary steps include preventing internet exposure of devices communicating via Modbus, securing remote access points with multifactor authentication and VPNs, and monitoring all connections to prevent unauthorized access.
While FrostyGoop poses a threat to exposed systems, it may not immediately impact critical networks. However, proactive steps are crucial in securing OT environments and preventing potential disruptions caused by similar malware attacks in the future.
