In January, a devastating cyber attack targeted an energy company in Lviv, Ukraine, marking the first known use of a new malware specifically designed to harm Industrial Control Systems (ICS). The industrial cybersecurity firm Dragos has identified this malware as FrostyGoop. Discovered in April 2024, FrostyGoop stands out as the first malware capable of directly attacking operational technology (OT) networks through Modbus TCP connections.

You might be interested in: Python Repositories at Risk After GitHub Token Leak

What is FrostyGoop?

FrostyGoop is an ICS-specific malware written in the Go programming language. It communicates with ICS devices using Modbus TCP over port 502, as detailed in a technical report by Dragos researchers Kyle O’Meara, Magpie (Mark) Graham, and Carolyn Ahlers. This malware was initially designed to infect Windows computers but has been repurposed to target ENCO controllers that have TCP port 502 open to the internet. No known threat actors or activity clusters have been linked to FrostyGoop so far.

How FrostyGoop Operates

FrostyGoop is capable of reading and writing data to an ICS device’s registers, which include inputs, outputs, and configuration details. The malware allows for command line execution, setting destination IP addresses, and Modbus commands using JSON-formatted configuration files. It can log output data to either a terminal or a JSON file. The attack on the energy company in Lviv caused a nearly 48-hour heating service outage affecting over 600 residential buildings.

The Attack on Lviv’s Energy Company

The attackers managed to send Modbus commands to ENCO controllers, leading to incorrect readings and system malfunctions. Researchers believe that initial access was likely gained by exploiting a vulnerability in Mikrotik routers back in April 2023. The disruption resulted from transmitted Modbus orders causing faulty measurements and system failures, requiring almost two days for remediation.

FrostyGoop and Other ICS Malware

FrostyGoop’s use of the Modbus protocol for client/server communication is notable but not unique. In 2022, Dragos and Mandiant reported on another ICS malware named PIPEDREAM (also known as INCONTROLLER), which interacted with various industrial network protocols such as OPC UA, Modbus, and CODESYS. FrostyGoop is now the ninth known malware targeting ICS, joining the ranks of Stuxnet, Havex, Industroyer (CrashOverride), Triton (Trisis), BlackEnergy2, Industroyer2, and COSMICENERGY.

Implications and Recommendations

The ability of FrostyGoop to manipulate data on ICS devices via Modbus presents serious risks to industrial operations and public safety. Dragos highlighted that over 46,000 internet-connected ICS devices communicate using this widely adopted protocol. The study emphasizes the critical need for organizations to implement robust cybersecurity frameworks to protect critical infrastructure from similar threats.

Conclusion

The discovery of FrostyGoop underscores the growing threat to industrial control systems worldwide. As cyber threats evolve, it is essential for companies and public services to prioritize cybersecurity measures to safeguard against future attacks. Implementing comprehensive protection strategies is vital to ensuring the safety and reliability of critical infrastructure.