FrostyGoop malware infects industrial control systems (OT)

Sicherheit (Pexels, allgemeine Nutzung)[German]The Dragos OT Cyber Threat Intelligence team encountered FrostyGoop ICS malware targeting ICS/OT systems in April 2024. This malware can interact directly with Industrial Control Systems (ICS) in Operational Technology (OT) environments via the Modbus protocol, a standard ICS protocol used in all industry sectors and organizations worldwide. The malware was likely used in a cyberattack on a district heating company in Ukraine to shut down a city's heating systems.


Advertising

What are ICS/OT systems?

The abbreviation ICS stands for Industrial Control System, a general term for control systems for process monitoring and control. OT is the abbreviation for Operational Technology, an operational technology consisting of hardware and software that is responsible for the direct monitoring and/or control of industrial plants, systems, processes and events.

Attack on heating system in winter

The last major incident in which the malware was probably used took place in the city of Lviv, Ukraine in January 2024. The heating system of over 600 residential units was switched off by the FrostyGoop malware at sub-zero temperatures. A Russian group is suspected to be behind this malware.

The attackers sent Modbus commands to ENCO controllers, resulting in inaccurate measurements and system malfunctions. It took those responsible for the control systems two days to get the plant up and running again. Security experts at Dragos suspect that FrostyGoop was probably used in this attack. This is because an associated FrostyGoop configuration file contained the IP address of an ENCO control unit. The security experts at Dragos therefore assume that the FrostyGoop malware was used to attack ENCO controllers via the Modbus TCP port 502, which is open to the Internet.

The FrostyGoop malware

Dragos discovered the FrostyGoop ICS malware in April 2024 and writes here that it is the ninth known ICS malware. At the time, Dragos discovered several FrostyGoop binaries. The FrostyGoop ICS malware is written in Golang and interacts directly with industrial control systems (ICS) via Modbus TCP on port 502. It is compiled for Windows systems and is not detected as malicious by most antivirus vendors.

FrostyGoop's ability to communicate with ICS devices via Modbus TCP threatens critical infrastructure in various sectors. As the Modbus protocol is ubiquitous in industrial environments, this malware can potentially cause disruption in all industrial sectors by interacting with legacy and modern systems.


Advertising

Network segmentation and control

The Dragos experts write that the cyber incident in Ukraine highlights the need for adequate security controls, including OT network monitoring. The lack of detection by antivirus vendors underscores the urgency of continuous OT network security monitoring with analytics that include ICS logs to inform the operator of such assets of potential risks.

The investigation of the cyber incident in Ukraine revealed that the attackers may have gained access to the victim's network through an undetermined vulnerability in an outward-facing router. The network resources, including the router, management servers and district heating system controls, were not sufficiently segmented, which facilitated the cyberattack.

Dragos recommends organizations implement the SANS 5 Critical Controls for World-Class OT Cybersecurity, which include ICS incident response, defensible architecture, ICS network visibility and monitoring, secure remote access and risk-based vulnerability management. In its article on malware, Dragos provides relevant guidance, and of course has a system to match. Regardless of the Dragos platform, it is clear that OT technology needs to be better secured.


Advertising

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).