Simple ‘FrostyGoop’ malware responsible for turning off Ukrainians’ heat in January attack
Malware targeting the widely-used Modbus industrial communication protocol was responsible for more than 600 apartment buildings in Ukraine losing heat for two days in January, according to a new report by cybersecurity firm Dragos.
The malware, which Dragos has named FrostyGoop, uses Modbus to allow attackers to further attack industrial-controlled systems (ICS). Dragos said it was able to determine FrostyGoop was responsible for the outage when The Cyber Security Situation Center (CSSC), a part of the Security Service of Ukraine, shared information related to an attack targeting a municipal energy company in Lviv.
Dragos says FrostyGoop is the first ICS-focused malware that uses the Modbus protocol to cause a physical disruption to operational technology (OT).
It’s not clear who created the malware. Dragos did not attribute FrostyGoop to a particular threat actor. The malware was written using Go and other open-source software libraries. The creators of the malware are now being tracked by Dragos as TAT2024-24. The company considers FrostyGoop to be the ninth unique piece of ICS-focused malware used in disruptions or attacks.
While it’s not particularly sophisticated, experts warn FrostyGoop reveals that attackers continue to focus on once obscure systems and protocols, including those that keep critical infrastructure like electricity and water working.
The attackers are believed to have initially compromised the municipal energy provider’s networks 10 months before the attack, via a vulnerability in a Microtik router. The attackers then spent the remainder of the year conducting various tasks to set up the attack, including obtaining user credentials for the energy system. It was also discovered that hours before the incident attackers were connecting to the energy system’s network from Moscow-based IP addresses.
The attack was launched as Ukraine dealt with a large-scale cyberattack in January that caused issues at the country’s largest oil and gas company and its national post service, among other entities.
“I think it’s very much a psychological effort here, facilitated through cyber means when kinetic perhaps wasn’t here the best choice,” said Mark Graham, technical director and principal adversary hunter at Dragos.
The Security Service of Ukraine did not respond to requests for comment.
The only other hacking unit known to have such an impact on Ukraine’s critical infrastructure is Sandworm, which is run by Russia’s Main Intelligence Directorate military unit. Sandworm has been notorious for taking down Ukraine’s grid multiple times, including most recently in October 2022 when it hacked into an electrical substation..
It’s not often that malware targeting sensitive industrial control networks is discovered. One of the most recent was Pipedream, which experts feared could be the ICS equivalent of Cobalt Strike, a legitimate threat emulation tool that has been co-opted by malicious attackers.
While Pipedream is an incredibly sophisticated tool set, FrostyGoop is a bit different.
“It is a simple tool,” Graham said.
Yet even with the tool rooted in simplicity, that does not mean it’s any less dangerous. Graham warned that it’s getting easier for low-cost attacks to impact industrial systems, regardless if they are carried out by state-backed hackers and financially motivated cybercriminals.
“You might not have all of your best malware deployed, but you want to know that at the drop of a hat if you need to operate, you’ve got a way in and you’ve got the capability to do it on a shelf somewhere,” Graham said. “A number of adversaries are now realizing that they also want that capability, just like we’ve seen a number of countries that didn’t necessarily invest in their own malware development, but are customers of those private sector actors.”