Critical Infrastructure Security , Governance & Risk Management , Operational Technology (OT)
Hackers Froze Ukrainian Heating Systems in Winter
ICS-Specific Malware Uses Modbus Protocol for Disruptive AttacksHackers used novel malware to knock out the heating system for 600 apartment buildings during the winter in Ukraine, in a development that poses a wider threat for critical infrastructure. Cybersecurity researchers at Dragos on Tuesday dubbed the new malware "FrostyGoop" and said that its January deployment caused civilians to endure approximately two days of temperatures below freezing. The operational technology cybersecurity firm doesn't attribute the attack - although Ukraine is well into its third year of repelling Russian invaders who have attacked energy facilities (see: Ukrainian Energy Sector Under Cyber Siege by Russian Hackers).
See Also: From Ancient Myths to Modern Threats: Securing the Transition from Legacy to Leading Edge
The Cyber Security Situation Center in Ukraine said that FrostyGoop was used in a cyberattack on an energy facility in the western Ukrainian city of Lviv. A spokesperson did not provide additional details. Wired reported that Dragos' description of the attack closely matches a January outage at the Lvivteploenergo utility, leading to a reported loss of heating and hot water for 100,000 people. Lviv Mayor Andriy Sadovyi said on Telegram at the time that authorities suspected "outside interference."
Hackers likely gained access to the victim network through an "undetermined vulnerability in an externally facing router," Dragos said. Hackers could access ENCO system controllers manufactured by Lithuanian firm Axis Industries due to a lack of network segmentation.
Unlike other malware developed for industrial control systems, FrostyGoop can interact directly with operational technology using the standard network protocol known as Modbus TCP. "The potential to interact directly with various ICS devices pose a serious threat to critical infrastructure across multiple sectors," the researchers said.
Dragos' principal adversary hunter Mark "Magpie" Graham said that the firm has identified at least 40 ENCO controllers in Europe exposed to the open internet, making them vulnerable to similar attacks. These devices, along with over 46,000 exposed Modbus TCP devices worldwide, could be manipulated by malicious actors to modify parameters and send unauthorized commands.
Attackers likely gained access to the targeted network in April 2023 and continued to access the network before shutting off power on Jan 22. Dragos found that the hackers connected using IP addresses based in Moscow.
FrostyGoop can read and write to an ICS device's holding registers, which contain inputs, outputs and configuration data.
The malware is written in Golang and compiled for Windows systems. It accepts optional command-line execution arguments and uses separate configuration files to target IP addresses and Modbus commands, logging output to a console or JSON file.
FrostyGoop is the ninth known malware specifically for industrial control systems, according to Dragos. Warnings about operational technology's exposure to mounting risk have increased in tandem with Russia's push to conquer Ukraine. Europe's security agency in 2022 warned that state-backed hacking groups will pay more attention to operational technology as geopolitics influences the cyberthreat landscape. The risk isn't confined to Europe. U.S. officials said earlier this year that a Chinese hacking group tracked as Volt Typhoon was likely pre-positioning itself to launch destructive cyberattacks (see: Here's How the FBI Stopped a Major Chinese Hacking Campaign).