Earlier this January, an energy company in Lviv, Ukraine fell victim to a disruptive cyber attack. Cybersecurity researchers claim that they have found the ninth malware focused on Industrial Control Systems (ICS) used during this attack.
Dragos, an industrial cybersecurity company, has named the malware as FrostyGoop and identified it as the initial instance of a malware variety that exploits ModbusTCP communication channels to disrupt operational technology (OT) networks. The firm detected this virus in April 2024.
In a technical report shared with The Hacker News, researchers Carolyn Ahlers, Kyle O’Meara and Magpie (Mark) Graham stated that FrostyGoop is malware specific to ICS which is written in Golang. It can directly interact with Industrial Control Systems using Modbus TCP over port 502.
Windows operating systems
There’s a belief that specifically targets Windows operating systems, the malware has been directed towards ENCO controllers which are connected to TCP port 502 on the internet. No connection with any prior threat actor or activity cluster has been established yet.
Additionally
FrostyGoop has the ability to access an ICS device’s holding registers which store input, output and configuration data.
It allows for optional command line execution arguments and uses JSON-formatted config files to designate target IP addresses as well as Modbus commands while logging outputs in either a console or JSON file format.
The municipal district energy company was targeted in an incident that caused over 600 apartment buildings to lose heating services for approximately two days.
During a conference call, the researchers mentioned that in April 2023, an unknown vulnerability was possibly exploited to gain initial access via a publicly-accessible Mikrotik router.
Subsequently, Modbus commands were sent to ENCO controllers which resulted in system malfunctions and inaccurate measurements caused by adversaries.
Sending Modbus commands to ENCO controllers, the adversaries caused system malfunctions and inaccurate measurements. The remediation process lasted nearly two days.
More
Although FrostyGoop heavily relies on the Modbus protocol for client/server communications, it is not the only one in use.
Another ICS malware called PIPEDREAM (also known as INCONTROLLER), which was disclosed by Dragos and Mandiant in April 2022, utilized multiple industrial network protocols such as OPC UA, Modbus and CODESYS to facilitate interaction.
After Stuxnet, Havex, Industroyer (also known as CrashOverride), Triton (or Trisis), BlackEnergy2, Industroyer2 and COSMICENERGY have been discovered in the wild; this is also the ninth malware that targets ICS.
According to Dragos, the capacity of malware to access or manipulate information on ICS equipment through Modbus can have dire ramifications for both industrial operations and public safety.
According to the researchers
Over 46,000 internet-accessible ICS devices utilize this prevalent protocol. there is a serious risk to critical infrastructure in several industries as Modbus TCP via port 502 can specifically target ICS and directly interact with multiple ICS devices.
In order to protect critical infrastructure from comparable threats in the future, implementing thorough cybersecurity frameworks should be a top priority for organizations.
update
Recorded Future News has received confirmation from the Security Service of Ukraine (SBU) that Lvivteploenerg, an energy facility based in Lviv, had its infrastructure compromised by a cyber attack.
Actually is something that is sad
This is actually not a good one
This is really sad