Skip to content

FrostyGoop: new ICS malware that made Ukrainians frosty

  • by
  • 2 min read

A novel malware targeting the popular Modbus industrial communication protocol caused more than 600 apartment buildings in Lviv, Ukraine, to lose heat for two days earlier this year in January. Security researchers have named the malware FrostyGoop and described it as the first malware strain to directly use Modbus TCP communication to disrupt operational technology networks.

Cybersecurity firm Dragos discovered it in April 2024 and published a technical assessment of the malware. The malware isn’t exactly technically sophisticated, but its focus on once-obscure systems, including ones that run critical infrastructure, makes its attacks significant nonetheless.

The malware is written in Go and uses open-source software libraries, but its creator hasn’t been found yet. That said, it can read and write to an ICS (industrial control system) device holding registers containing inputs, outputs and configuration data. it also accepts command line arguments, uses separate configuration files to specify target IP addresses and Modbus commands, and even logs output to a console and/or a JSON file.

This is an image of malware featured cybersecurity 1132 e1666861257804
Abstract red background. Malware, or hack attack concept

Investigation into the attack revealed that the malware infiltrated the victim network as early as ten months on April 17, 2024, via a vulnerability in an external-facing Mikrotik router. Network assets, including a Mikrotik router (the original point of entry for the attackers), four management servers, and the district heating system controllers, were not adequately segmented within the victim network and compromised by the attackers to facilitate their attack.

On April 20 and 26, a web shell with tunnel capabilities was deployed. Eight months later, on November 30 and December 14, the threat actors accessed the contents of the Security Account Manager (SAM) registry, obtaining user credentials from the system. Finally, on January 22, they launched the attack from Moscow-based IP addresses.

FrostyGoop’s ability to communicate with ICS devices over the Modbus protocol means trouble for critical infrastructure across multiple sectors, given the popularity of the Modbus protocol. The attack also points out the need for improved security controls and analytics.

In the News: Two critical flaws in BookingPress plugin allow full site takeover

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of signal featured 12

Russian-state hackers target high-profile Signal accounts

Illustration: supimol kumying | shutterstock

US military and defence contractor credentials are up for sale

Nordlayer enterprise browser

NordLayer unveils enterprise browser to strengthen enterprise security

This is an image of humane ai pin

Humane AI Pin discontinued and sold to HP for $116 million

What all data does your browser collect about you? Here are 7 types

India orders social media and hosting services to remove spoofing content

This is an image of cyber security hacked breach

Raymond reports cybersecurity incident impacting IT assets

>