Discover how the FrostyGoop malware disrupted heating systems in Ukraine and the implications for industrial control systems worldwide. Learn key insights on securing your OT environment

Continue reading
In January 2024, the FrostyGoop malware inflicted significant damage on a district energy company in Lviv, Ukraine. This attack led to a two-day heating outage affecting hundreds of apartment buildings. The malware targeted temperature controllers, causing them to misread ambient temperatures and fail to provide adequate heating during harsh winter conditions.
FrostyGoop exploits the Modbus TCP protocol, a common communication method in operational technology (OT) environments. The malware alters temperature readings by manipulating this protocol, tricking controllers into misreporting temperatures. This results in cold water being pumped into buildings instead of heated water.
The Cyber Security Situation Center (CSSC), part of Ukraine’s Security Service, was actively instrumental in identifying and investigating this wide-scale attack. They shared critical details with Dragos, a leading operational technology defense vendor. Dragos then published a comprehensive report [PDF] on FrostyGoop. This report highlights that FrostyGoop is the first malware to exploit the industrial Modbus protocol in such a direct manner. Additionally, it is only the ninth piece of malware discovered that specifically targets industrial control systems (ICS) devices.
Modbus TCP, operating over port 502, is a widely used protocol in ICS environments. Unfortunately, its lack of robust security features makes it susceptible to attacks like FrostyGoop.
import modbus_tk
import modbus_tk.defines as defines
from modbus_tk import modbus_tcp
server = modbus_tcp.TcpServer()
server.start()
# Create a slave
slave = server.add_slave(1)
slave.add_block('block1', defines.HOLDING_REGISTERS, 0, 10)
# Write to a holding register
slave.set_values('block1', 0, [1234])
# Read from a holding register
print(slave.get_values('block1', 0, 10))This code demonstrates how Modbus TCP facilitates communication with ICS devices. FrostyGoop leverages this protocol's weaknesses to execute its payload.
FrostyGoop is written in Golang and communicates with ICS devices using Modbus TCP. The malware employs two JSON-formatted configuration files:
This setup allows FrostyGoop to execute commands immediately or schedule them later.
On April 17, 2023, attackers exploited a vulnerability in a Mikrotik router, gaining access to the energy provider's network. They deployed a web shell to facilitate data transfer and further network access.
By November 2023, attackers had stolen crucial security credentials. On January 22, 2024, they used a Layer Two Tunneling Protocol (L2TP) connection to launch the FrostyGoop attack from a remote Moscow-based IP address.
The Modbus protocol's inherent security flaws make it a prime target for attacks. The lack of authentication and encryption in Modbus TCP allows malware like FrostyGoop to exploit exposed devices.
Organizations managing ICS environments should review and enhance their security practices. Implement the recommended mitigations to protect against threats like FrostyGoop.

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.