For two days in mid-January, residents of Lviv, Ukraine, endured freezing temperatures without central heating following a cyberattack on the city's municipal energy company. The Ukrainian authorities and security researchers have attributed the incident to a newly identified malware, dubbed FrostyGoop, which specifically targets industrial control systems (ICS).
The cybersecurity firm Dragos released a detailed report, detailing the new malware, which, it said, it had first detected in April 2024. The malware, which is said to be the first ICS-specific malware that uses Modbus communications to achieve an impact on operational technology (OT), exploits the Modbus protocol—a widely used communication standard across various industrial sectors. Dragos' analysis suggests that the malware was utilized in the attack on Lviv’s heating systems, affecting over 600 apartment buildings.
According to the report, FrostyGoop directly interacts with ICS devices via Modbus TCP on port 502. It is designed to target Windows systems, with no antivirus software capable of detecting it at the time of its discovery.
The malware's capabilities include reading and writing to ICS device registers, manipulating inputs, outputs, and configuration data. It also supports command line execution arguments and uses configuration files to specify target IP addresses and Modbus commands, logging its activities to a console or JSON file.
The Cyber Security Situation Center (CSSC), part of the Security Service of Ukraine (Служба безпеки України), collaborated with Dragos to investigate the cyberattack. Their findings indicate that the attackers sent Modbus commands to ENCO controllers, leading to inaccurate system measurements and malfunctions. It took nearly two days to restore heating services, the report said.
The investigation also revealed that the attackers likely gained access through a vulnerability in an externally facing Mikrotik router. The network's lack of adequate segmentation—including the router, management servers, and heating system controllers—allowed the malware to spread and execute the commands.
“The affected heating system controllers were ENCO Controllers. The adversaries downgraded the firmware on the controllers from versions 51 and 52 to 50, which is a version that lacks monitoring capabilities employed at the victim facility, resulting in the Loss of View. The adversaries did not attempt to destroy the controllers. Instead, the adversaries caused the controllers to report inaccurate measurements, resulting in the incorrect operation of the system and the loss of heating to customers,” Dragos said.
More technical details along with recommendations on how to enhance OT cybersecurity can be found the company’s report here.