A cybersecurity in action warning. In April 2024, FrostyGoop, an ICS malware, was discovered in a publicly available malware scanning repository. FrostyGoop can target devices communicating over Modbus TCP to manipulate control, modify parameters, and send unauthorized command messages. Modbus TCP is a commonly used protocol across all industrial sectors.
The Cyber Security Situation Center (CSSC), a part of the Security Service of Ukraine, shared details with Dragos about a cyber attack that impacted a municipal district energy company in Ukraine in January 2024. At the time of the attack, this facility fed over 600 apartment buildings, supplying customers with central heating. Remediation of the incident took almost two days, during which time the civilian population had to endure sub-zero temperatures. Dragos assessed that FrostyGoop and internet-exposed ICS devices facilitated this attack.
Telling manufacturers that their technology systems are vulnerable to attack happens so often as to be almost trite. Yet, new vulnerabilities emerge with the regularity of a heartbeat. This attack perpetrated through Modbus TCP was detected in Ukraine.
This brief provides a strategic summary of information on this OT threat and attack as reported in Dragos WorldView threat intelligence, with clear guidance for OT asset owners and operators.
Information provided here is sourced from Dragos OT Cyber Threat Intelligence adversary hunters and analysts who conduct research on adversary operations and their tactics, techniques, and procedures (TTPs). Dragos OT cyber threat intelligence is fully reported in Dragos WorldView threat intelligence reports and is also compiled into the Dragos Platform for threat detection and vulnerability management.
Dragos discovered the FrostyGoop ICS Malware in April 2024. FrostyGoop is the ninth known ICS malware. This malware can interact directly with industrial control systems (ICS) in operational technology (OT) environments using the Modbus protocol, a standard ICS protocol used across all industrial sectors and organizations worldwide.
Additionally, the Cyber Security Situation Center (CSSC), a part of the Security Service of Ukraine (Служба безпеки України), shared details with Dragos about a disruptive cyber attack on a district energy company in Ukraine, which resulted in a two-day loss of heating to customers. The adversaries sent Modbus commands to ENCO controllers, causing inaccurate measurements and system malfunctions – taking almost two days to remediate the issues. Dragos assesses that FrostyGoop was likely used in this attack. An associated FrostyGoop configuration file contained the IP address of an ENCO control device, leading Dragos to assess with moderate confidence that FrostyGoop was used to target ENCO controllers through Modbus TCP port 502 open to the internet.
We want to express our gratitude to the Cyber Security Situation Center (CSSC), a part of the Security Service of Ukraine (Служба безпеки України), for its continued commitment to collaborative intelligence sharing and for allowing us to report on the disruptive OT incident impacting communities in Lviv, Ukraine.
Dragos leaves us with a summary of recommended guidance:
- Identify impacted assets. Access your Asset Inventory and search for ENCO control servers and devices communicating over Modbus.
- Look for potential malicious behavior. Review the FrostyGoop-specific dashboard to determine if related detections and IOCs have been triggered.
- Perform a retrospective search for potential malicious behavior across your SiteStore forensics for signs of past activity involving this malware.
