FrostyGoop: New Malware Freezes Ukrainian Energy Grid
In January, Ukraine faced a cyberattack that left hundreds of residents in Lviv without heating for two days. The perpetrators deployed previously unknown malware, FrostyGoop, targeting ICS systems. In a new report, Dragos specialists detailed the malware’s operation.
FrostyGoop is the first virus to directly exploit the Modbus TCP protocol to sabotage operational technology (OT) networks. The virus was first identified by the company in April 2024. Written in Golang, FrostyGoop can directly interact with ICS systems via Modbus TCP over port 502. The virus primarily targets Windows systems and leverages ENCO controllers with open access to port 502 on the internet.
The malware is capable of reading and writing data to ICS devices, managing registers containing input and output data, as well as configuration information. FrostyGoop uses JSON configuration files to specify target IP addresses and Modbus commands, and logs results to the console and/or a JSON file.
The cyberattack targeted a municipal company providing centralized heating to over 600 apartment buildings in Lviv. FrostyGoop altered temperature controller values, resulting in cold water being supplied instead of hot. Residents were left without heating and hot water for nearly 48 hours.
The attackers sent Modbus commands to ENCO controllers, causing incorrect measurements and system failures. It took almost two days to mitigate the attack’s effects. Initial access to the systems was likely obtained through a vulnerability in Mikrotik routers in April 2023.
Despite the widespread use of the Modbus protocol for client-server communications, FrostyGoop is not the sole example of such malware. In 2022, Dragos and Mandiant introduced another ICS-targeting malware named PIPEDREAM (INCONTROLLER), which utilized various industrial network protocols to interact with systems.
Researchers emphasized that the targeted use of Modbus TCP over port 502 and the ability to directly interact with various ICS devices pose a significant threat to critical infrastructure across multiple sectors. Organizations must prioritize the implementation of comprehensive cybersecurity systems to protect critical infrastructure from similar threats in the future.
