Summary
Security researchers have unveiled a new malware strain designated FrostyGoop, which is directly targeting industrial control systems (ICS) on targeted systems. Discovered by Dragos in April 2024, FrostyGoop can directly interact with ICS devices via Modbus, a widely used industrial protocol. The malware was linked to a cyber-attack on a district energy company in Lviv, Ukraine, which caused a two-day heating outage for over 600 apartment units.
Regional and Community Impact
Russia has been heavily targeting Ukrainian critical infrastructure with both cyberattacks and missiles. As a result of these attacks, Ukraine’s energy sector has suffered $56 billion in losses, forcing the country to introduce scheduled power outages lasting up to six hours several times a day, leaving people without electricity, internet and often gas and water. Kremlin-backed hacker groups have previously targeted Ukrainian energy facilities with disruptive cyberattacks, causing even more harm. Ukrainian state officials previously said that Russia is coordinating its missile strikes with cyberattacks, including when targeting energy facilities. Researchers found that Sandworm, in particular, has coordinated the timing of its cyberattacks with conventional military activity, such as kinetic strikes or other forms of sabotage.
According to Dragos on a report released in July of 2024, the malware’s discovery underscores the need for ICS network visibility and monitoring of Modbus traffic to detect deviations from normal behavior. Modbus, a widely used communication protocol in industrial environments, is vulnerable to such malware, emphasizing the importance of robust cybersecurity measures. FrostyGoop’s ability to impact various ICS devices across sectors highlights the critical risk to global critical infrastructure. RH-ISAC Members who utilize ICS in their environments are encouraged to review systems that currently operate Modbus and apply the mitigations Dragos has recommended below.
Background and Mitigations
FrostyGoop directly interacts with ICS devices via Modbus TCP over port 502 and was used in a disruptive cyber-attack on a district energy company in Lviv, Ukraine, causing a two-day heating outage for 600 apartment buildings. The Lviv attack investigation revealed that adversaries exploited a vulnerability in an externally facing Mikrotik router to access the network, deploying a webshell with tunnel capabilities. The adversaries sent Modbus commands to ENCO controllers, causing inaccurate measurements and system malfunctions. FrostyGoop can additionally read and write to ICS device registers and logs output to a console or JSON file. It uses separate configuration files to specify target IP addresses and Modbus commands.
Dragos recommends implementing the SANS 5 Critical Controls for World-Class OT Cybersecurity, including ICS incident response, defensible architecture, ICS network visibility and monitoring, secure remote access, and risk-based vulnerability management. These controls help mitigate the risks posed by malware like FrostyGoop. The Dragos report additionally contains a list of seven IDS rules for Modbus traffic.