Novel ICS Malware Sabotaged Water-Heating Services in Ukraine

Researchers have tied a January 2024 attack that disrupted heating services in some 600 apartment buildings in Lviv, Ukraine, during sub-zero temperatures to a dangerous new piece of malware designed specifically to target industrial control systems.

The malware, dubbed FrostyGoop by researchers at Dragos who discovered it, is the first known malware that lets threat actors interact directly with operational technology (OT) systems via Modbus, a widely used communication protocol in ICS environments. This makes FrostyGoop especially dangerous because adversaries can use it to broadly attack pretty much any ICS system that uses Modbus for communications, Dragos said in a report this week. The security vendor said it was able to find some 46,000 Internet-exposed ICS devices that currently communicate over the protocol. FrostyGoop is only the ninth known malicious tool specifically designed to attack ICS environments.

"Modbus is embedded in legacy and modern systems and nearly all industrial sectors, indicating a wide-ranging potential for disrupting and compromising essential services and systems," Dragos said. "[FrostyGoop] represents a significant risk to the integrity and functionality of ICS devices, with potentially far-reaching consequences for industrial operations and public safety."

Dragos researchers first encountered FrostyGoop binaries in April 2024 when conducting routine triage of suspicious-looking files at a customer location. Their initial analysis suggested the malware was still in the testing stage, but they quickly revised that assessment after Ukraine's Cyber Security Situation Center (CSSC) shared details with Dragos about the January 2024 attack on a district energy company in Lviv.

Hot Water Chilled for Nearly 48 Hours

FrostyGoop, written in Golang and compiled for Windows, allows attackers to directly interact with ICS using Modbus TCP over port 502. An attacker deploying the malware can access and manipulate inputs, outputs, and configuration data in ICS device-holding registers. Device-holding registers are a specific type of data-storage location in industrial systems.

The malware also lets an attacker send unauthorized commands to victim systems.

The cyberattack in Ukraine targeted ENCO-branded heating system controllers at a company that manages a service for distributing hot water to residents in some 600 apartments in Lviv. The attackers used FrostyGoop to send Modbus commands to the controllers that triggered inaccurate measurements and system malfunctions. Incident responders had to work nearly two days to subsequently remediate the issue.  

"What the payload did was alter values on the controllers to fool them into thinking the temperature of the water was hotter than it was, so it wouldn't heat the water," said Magpie (Mark) Graham, technical director at Dragos, in a conference call. The result was the company ended up pumping cold water to the apartments instead, he said.

Dragos has not been able to tie the attacker to any previously identified threat actor or activity cluster. But the fact that the adversary used cyber means to disrupt hot water supplies, when a kinetic attack could have worked as well, may have to do with Ukraine's defenses being better able to intercept missile attacks from Russia these days, he said.

Dragos's investigation found that the attack began with the threat actors first gaining access to the energy company's network in April 2023 via a still-undetermined vulnerability in an externally facing Microtek router. During a six-day period between April 20 and April 26, 2023, the attacker deployed a Web shell in the victim environment that they used a few months later to exfiltrate user credentials. In January 2024, the attackers established a connection between the compromised environment and an IP address located in Russia.

Potential for Other Cyberattacks

Because of a lack of network segmentation at the Lviv energy company, the attackers were able to use their initial foothold to move laterally to multiple management servers in the environment and eventually to the company's heating system controllers. As part of the attack chain, the adversaries downgraded the firmware on the controllers to a version not supported by the energy company's system monitoring system deployed at the facility.

"The adversaries did not attempt to destroy the controllers," Dragos said. "Instead, the adversaries caused the controllers to report inaccurate measurements, resulting in the incorrect operation of the system and the loss of heating to customers."

Graham said it is likely that prior to the attack in Lviv, the threat actors used FrostyGoop to target other controllers with Modbus ports open to the Internet. No network compromise would have been required to gain access to the devices in any instance, he said. "These are devices that you or I could access, no problem, from the Internet right now."

ICS-specific malware tools can be challenging to thwart. But typically, attackers have reserved them only for highly targeted campaigns. Among the better known malware in this category is Stuxnet, which attackers used to degrade Iran's Uranium enrichment facility in Natanz, Industroyer/CrashOverride, which Russia's Sandworm group used in attacks on Ukraine's power grid, and Havex, which targeted SCADA and ICS environments in Europe.

Dragos recommends ICS environments implement five baseline practices to protect their networks from this malware: network segmentation to mitigate damage; continuous monitoring for improved visibility; secure remote access; risk-based vulnerability management; and strong incident response capabilities.