[Cyware] FrostyGoop malware used to shut down heat in Ukraine attack

Summary: FrostyGoop, a new malware targeting industrial control systems (ICS), disrupted heating services in Lviv, Ukraine, during a severe winter, leaving residents without heat for two days. The malware exploits the widely used Modbus protocol, allowing attackers to manipulate temperature controllers remotely.

Threat Actor: Unknown criminal | unknown criminal
Victim: Municipal district energy company | municipal district energy company

Key Point :

  • FrostyGoop alters temperature controller values, causing cold water to be pumped instead of heated water.
  • The malware uses Modbus TCP over port 502, enabling remote access without prior network compromise.
  • Over 46,000 ICS devices worldwide are exposed to the internet and could be vulnerable to similar attacks.
  • Incident responders traced the attack’s initial access to an exploited vulnerability in a Mikrotik router.
  • Mitigation strategies include restricting internet access to Modbus devices and enhancing monitoring of OT networks.

A previously unseen malware, dubbed FrostyGoop, able to disrupt industrial processes was used in a cyberattack against a district energy company in Ukraine last northern winter, resulting in two days without heat for hundreds of people during sub-zero temperatures.

The attack, which began late in January 2024, targeted temperature controllers of a municipal district energy company in Lviv, Ukraine, that supplied central heating to more than 600 apartment buildings. As industrial control system (ICS) attacks go, this was a nasty one.

“What the payload did here was alter the values on these controllers to fool them into thinking the temperature was hotter than it was, and so it would not heat the water,” explained Magpie Graham, technical director at operational technology defense vendor Dragos.

Instead of feeding heated water into the buildings connected to the network, the pump fed cold water into the apartments. Residents were therefore without heat and hot water for almost two days during the frigid climate in January.

“The dwellings of those buildings started to get quite uncomfortable,” Graham noted, during a briefing with reporters.

The Cyber Security Situation Center (CSSC), part of the Security Service of Ukraine, shared details about the incident with Dragos, which today released a report [PDF] about the cyberattack and the new ICS-specific malware. It’s the first to use the industrial Modbus protocol to directly affect such systems, according to the security biz, and only the ninth piece of malware yet found to specifically target ICS devices.

Dragos uncovered multiple FrostyGoop binaries in April. Its malware analysts noted that the attack code is written in Golang for Windows systems, and it communicates directly with industrial control systems using Modbus TCP over port 502.

The abuse of Modbus is intentional. This protocol is widely used across operational technology (OT) environments because it is open and hardware agnostic, allowing for easy communications between programmable logic controllers (PLCs), distributed control systems (DCS), controls, sensors, field devices, and interfaces.

The Modbus protocol is used by hundreds if not thousands of device vendors globally, and “is not very well secured,” Graham noted. “Typically no authentication mechanisms exist, and so a successful communication with the device doesn’t really need anything more than presence on that network to be able to instruct the device in some way.”

Due to this protocol’s pervasive use across products and industrial sectors, in both legacy and modern systems, malware that uses Modbus to communicate with industrial controllers and other OT devices has the potential to cause serious disruption.

Based on the analysis, Dragos assesses with “moderate confidence” that in the Ukraine attack, an unknown criminal used FrostyGoop to target ENCO controllers with TCP port 502 open to the internet. “So no compromise of a network is required,” Graham pointed out. “These are devices that you or I can access, no problem, from the internet.”

However, the threat intel crew surmised that the malware can also wreak havoc on other devices communicating over Modbus TCP – its functionality is not specific to ENCO products.

Using the Modbus protocol, FrostyGoop can send commands, including specifying targets, and also read and write data to ICS devices.

The malware accepts one of two JSON-formatted configuration files with information used to execute commands. One of the files contains device info including IP address, Modbus commands, and Modbus register addresses. The other contains a specific time to begin communicating with the victim device, and the time frame for executing the commands.

“This really demonstrates that this tool can be used in two ways: One in a very tactical way, to launch an attack or interface with devices as they’re discovered in an environment,” Graham noted, “or preparing a larger number of interactions across multiple devices for later use.”

This is troubling because, according to Dragos, more than 46,000 internet-exposed ICS devices communicate over Modbus around the world. The security shop is currently conducting additional research to determine which of these devices are vulnerable to FrostyGoop.

Specific to the Ukraine attack, incident responders say the intruders gained access to the energy provider’s network on April 17, 2023, after exploiting an unknown vulnerability in a Mikrotik router. A few days later, the criminals deployed a web shell similar to ReGeorg and used that access to transfer data into and out of the network.

In November and December 2023, they stole the victim’s Security Account Manager (SAM) registry hive and valid user credentials. On January 22, they used the web shell to create a Layer Two Tunneling Protocol connection to a Moscow-based IP address, and conducted the attack remotely from there.

This also points to a key feature of the malware, according to security analysts. “It interacts with devices remotely. I don’t think it necessarily needs to be deployed to a target environment, which means that you can potentially never see that,” Graham warned.

The big question, of course, is what to do with this information and how to better secure OT environments. First up, ensure devices that communicate over Modbus are not exposed to the internet, and restrict access to those controllers.

There’s also the ongoing challenge of ICS visibility and monitoring. Dragos assess fewer than 5 percent of OT networks are continuously monitored – as the saying goes, you can’t protect what you can’t see.

Specific to FrostyGoop, this malware exploits a vulnerability in a remote access point – something that we’ve seen nation-state crews increasingly invest in as a means to break into critical networks. Deploying multifactor authentication, logging and monitoring all remote connections, and using VPNs to encrypt data in transit can help.

And don’t panic – yet.

“Whilst this is something that has been actively used, we don’t think that this is a very sophisticated capability that’s suddenly going to bring down your power grids, your major industrial facilities right now,” Dragos field CTO Phil Tonkin observed.

FrostyGoop is “very suited to attack the most exposed and low-hanging fruit,” Tonkin added. Specifically, this includes water facilities, renewable energy orgs, and manufacturing companies. “It’s important not to underplay it, but it’s also very important that we don’t think that this is something that is immediately going to bring down a nation’s power grid.” ®

Source: https://www.theregister.com/2024/07/23/frostygoop_ics_malware