New ICS-Focused Malware Discovered Targeting Ukrainian Energy Firm
Cybersecurity experts have identified a new strain of malware, named FrostyGoop, which is the ninth known type specifically designed for Industrial Control Systems (ICS). This malware has been implicated in a disruptive cyberattack against an energy company in Lviv, Ukraine, which took place earlier this January. According to the findings from Dragos, a firm specializing in industrial cybersecurity, FrostyGoop is unprecedented in its ability to utilize Modbus TCP communications to undermine operational technology (OT) networks.
The malware, discovered in April 2024, is primarily coded in Golang and communicates directly with ICS through Modbus TCP on port 502. Researchers Kyle O’Meara, Magpie Graham, and Carolyn Ahlers elaborated in a report shared with The Hacker News, explaining that FrostyGoop can both read and write to ICS device holding registers, which include critical operational inputs, outputs, and configuration data. Its functionality extends to executing commands via command line arguments and employing JSON-formatted configuration files for targeting specific IP addresses and Modbus commands.
During the recent incident, FrostyGoop was reportedly used to compromise ENCO controllers, exploiting likely vulnerabilities in an exposed Mikrotik router, accessible to the public. This attack resulted in the loss of heating for over 600 apartment buildings, causing significant disruption for nearly 48 hours. Researchers indicated that the adversaries manipulated Modbus commands, leading to erroneous system measurements and operational failures, with remediation taking almost two days.
Dragos emphasized the severity of FrostyGoop’s capabilities, indicating that it poses a considerable risk to both industrial operations and public safety. The firm noted that over 46,000 ICS devices worldwide are currently exposed to the internet and communicate over the widely-utilized Modbus protocol. The specific targeting of ICS systems through this protocol, combined with the malware’s capacity to interact with various ICS devices, underscores a significant threat to critical infrastructure across multiple sectors.
The implications of this cyberattack reflect broader trends in malicious activity targeting industrial systems. Previous instances include the notorious cases of Stuxnet, Industroyer, and Triton, each revealing sophisticated strategies employed by attackers to disrupt essential services. Cybersecurity professionals reference the MITRE ATT&CK framework to categorize such tactics, identifying potential methods of initial access, exploitation of vulnerabilities, and privilege escalation that may have facilitated this recent breach.
The Security Service of Ukraine has confirmed the incident, detailing the impacts on Lvivteploenerg, the affected energy facility. As organizations increasingly rely on interconnected systems, robust cybersecurity measures are paramount. Experts advise companies to prioritize comprehensive cybersecurity frameworks to safeguard against evolving threats like FrostyGoop and others in the ICS landscape.
In light of these developments, business owners must remain vigilant. The unique challenges posed by such tailored malware highlight the need for ongoing investment in cybersecurity infrastructure and training to mitigate risks associated with emerging threats in the industrial sector.
