A new malware, dubbed ‘FrostyGoop’, is being blamed for a January 2024 attack on a municipal power company in Lviv, Ukraine, that left 600 apartments without heat for 48 hours. FrostyGoop marks the ninth known ICS-focused malware actively used in the wild, after the likes of Stuxnet, Havex, and BlackEnergy2.
Discovered in April 2024, FrostyGoop is the first known malware that can directly interact with an Industrial Control System (ICS) via the Modbus TCP protocol. During this recent attack in Ukraine, the threat actors likely obtained initial access via a vulnerability in an internet-exposed router as early as April 2023. That access led to the threat actors ultimately being able to deploy FrostyGoop, which was used to send Modbus commands to ENCO controllers, causing inaccurate measurements and system malfunctions.
While FrostyGoop has only been observed being deployed against the Ukrainian municipal power company, its ability to read or modify data on ICSs using Modbus may have a significant impact on the cybersecurity of critical infrastructure since more than 46,000 internet-exposed ICS appliances use the protocol.
Source: The Hacker News
Analysis
While FrostyGoop has yet to be attributed to a specific threat actor, they are likely sponsored, if not directly tasked, by the Russian government given its history of targeting Ukraine’s energy sector with cyberattacks.
For example, in December 2015, Russian Military Intelligence Directorate (GRU) hackers used BlackEnergy2 malware to conduct a cyberattack on three Ukrainian energy providers, which resulted in the loss of power to 200,000 homes. The malware was originally deployed via spearphishing messages with Microsoft Excel attachments containing malicious macros.
These types of attacks on Ukraine’s energy sector will likely continue during, and after, Russia’s invasion of Ukraine. Ukraine has been dealing with these attacks since 2015, and as a result, has developed a considerable resiliency.
However, the rest of the world may not be as prepared as Ukraine, which is worrisome considering the large attack surface that the widespread use of Modbus by ICS systems offers threat actors.
Mitigation
Field Effect’s Security Intelligence team constantly monitors the cyber threat landscape for threats from advanced cyber actors engaging in malicious activities targeting ICSs. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the risk these groups pose.
Field Effect MDR users are automatically notified when various types of malicious activities are detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Given that ICSs are popular targets for hackers, and the vital importance of the industrial processes they control, it’s critical to ensure that these systems are patched and tested regularly for unknown vulnerabilities, misconfigurations, rogue user accounts, and other signs of compromise. It’s also vital that ICSs are not exposed to the internet unless there is a legitimate business need to do so, and only after proper controls (IP allowlisting, MFA, firewalls, etc.) are put in place.
Related Articles
