Russian Malware Cuts Off Heaters In 600 Apartments During Zero Temperatures

FrostyGoop represents a significant advancement in industrial control systems (ICS) malware, being the ninth ICS-specific threat and the first to leverage Modbus TCP communications for directly impacting Operational Technology (OT). 

When FrostyGoop uses Modbus for enumeration, unlike PIPEDREAM, which was discovered in 2022, it takes a step forward in sophistication by directly impacting OT in its operations as far as ICS attacks are concerned.

FrostyGoop’s ability to directly manipulate OT systems through Modbus TCP signifies a concerning advancement in the sophistication and potential impact of ICS-targeted cyberattacks. 

Cybersecurity researchers at Dragos recently identified Russian FrostyGoop malware that cuts off the heaters in 600 apartment buildings during zero-degree temperatures.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Russian Malware Cuts Off Heaters

Dragos found that FrostyGoop explicitly targets industrial control systems through Windows by exploiting the Modbus TCP communication.

The use of this particular ICS-specific Malware in a cyber attack on a Ukrainian energy company caused heating to go off for two days.

This global targeting capability of the malware is actually urging the upgrade of ICS network monitoring and security capacities.

FrostyGoop’s innovative design, including its employment of configuration files and customizable attacks based on command-line arguments, represents a major shift in targeted ICS threats.

Here below, we have mentioned the capabilities of FrostyGoop:-

  • Accepts optional command line arguments.
  • Uses config files for target IPs and Modbus commands.
  • Communicates with ICS devices using Modbus TCP.
  • Sends Modbus commands to read/modify ICS data.
  • Logs output to the console or JSON file.

FrostyGoop primarily targets industrial control systems via Modbus TCP protocol on port 502. It connects to specified IP addresses, either provided as an execution argument or in a JSON configuration file. 

The malware implements three Modbus commands, and here below we have mentioned them:- 

  • Command Code 3 (Read Holding Registers)
  • Command Code 6 (Write Single Register)
  • Command Code 16 (Write Multiple Holding Registers)

Using a public Go Modbus library, FrostyGoop sends these commands, processes device responses, then closes the connection and exits. 

This allows the malware to read and manipulate data on target devices, potentially disrupting industrial processes.

FrostyGoop malware logs Modbus TCP communications to a console and optionally to a JSON file, recording start time, target IP, and command details. 

It is believed that in January 2024 it was used in an attack on a heating facility in Lviv, Ukraine that resulted in a service outage during freezing temperatures.

This involved exploiting router vulnerabilities, deploying webshell, and compromising ENCO Controllers.

The global threat posed by FrostyGoop’s ability to interact with various ICS devices through Modbus TCP cannot be ignored.

Among other things, this incident highlights the need for strong OT cybersecurity measures like network segmentation and protection of internet-exposed ICS devices.

Recommendations

Here below we have mentioned all the recommendations offered by the researchers:-

  • Implement strong ICS incident response plans with OT-specific processes and frequent exercises.
  • Create a defensible architecture with appropriate network segmentation and industrial DMZs.
  • Rollout continuous monitoring of the ICS network using protocol-aware tools for detecting abnormalities.
  • Enforce safe remote access protocols that include MFA, VPNs, and strict access control measures.
  • Carry out risk-based vulnerability management focusing on ICS components involving localized assessments and mitigation programs.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

The post Russian Malware Cuts Off Heaters In 600 Apartments During Zero Temperatures appeared first on Cyber Security News.