Security researchers and Ukrainian authorities have concluded that for two days in mid-January, some Ukrainians in the city of Lviv were forced to go without central heating and suffered freezing cold due to a cyberattack on the city's energy company.
On Tuesday, cybersecurity firm Dragos published a report detailing a new piece of malware called FrostyGoop that the company said is designed to target industrial control systems, in this case specifically a type of heating system controller.
Dragos researchers wrote in a report that they first detected the malware in April. At the time, Dragos didn't have any details about FrostyGoop beyond the malware sample and believed it was only used for testing purposes. But Ukrainian authorities later alerted Dragos that they had found evidence of the malware being actively used in a cyberattack that took place in Lviv between late night on January 22 and January 23.
“As a result, more than 600 apartments were left without heat for nearly 48 hours,” Dragos researcher Magpie Graham said in a conference call with reporters briefed on the report ahead of its release.
“Clearance efforts to recover from the incident took nearly two days, during which civilians endured subzero temperatures,” Dragos researchers Graham, Kyle O'Meara and Carolyn Ahlers wrote in their report.
This is the third known outage linked to a cyberattack that has hit Ukraine in recent years, and while researchers say the malware is unlikely to cause widespread outages, it does indicate that malicious hackers are stepping up their efforts to target critical infrastructure such as the energy grid.
Dragos said that because the FrostyGoop malware is designed to communicate with industrial control devices (ICS) via Modbus, a decades-old protocol used widely around the world to control devices in industrial environments, FrostyGoop could potentially be used to target other companies and facilities.
“There are currently at least 46,000 internet-exposed ICS devices that allow Modbus,” Graham told reporters.
Dragos said FrostyGoop is the ninth ICS-specific malware it has encountered in recent years. The most notorious is Industroyer (aka CrashOverride), which was used by the notorious Russian government-linked hacker group Sandworm to turn off the lights in Kiev and then shut down a Ukrainian power substation. Beyond these cyberattacks targeting Ukraine, Dragos has also seen Triton deployed at a Saudi petrochemical plant and then an unknown second facility, as well as the CosmicEnergy malware discovered by Mandiant last year.
Contact Us Do you have more information about this cyberattack or similar attacks targeting ICS in Ukraine or elsewhere? You can securely contact Lorenzo Franceschi-Bicchierai from a non-work device via Signal (+1 917 257 1382), Telegram, Keybase @lorenzofb, or email. You can also contact TechCrunch via SecureDrop.
Dragos researchers wrote that they believe the hackers controlling the FrostyGoop malware first gained access to the targeted municipal energy company's network by exploiting a vulnerability in an internet-exposed Mikrotik router. The router, along with other servers and controllers, including those made by Chinese company ENCO, were not “properly segmented,” the researchers said.
Graham said on the call that he found open ENCO controllers in Lithuania, Ukraine and Romania, and reiterated that while FrostyGoop was used in the targeted attack in Lviv, the hackers who control it can target malware elsewhere.
ENCO and its employees did not immediately respond to TechCrunch's request for comment.
“The attackers did not attempt to destroy the controllers. Instead, they caused the controllers to report inaccurate measurements, resulting in the system malfunctioning and loss of heat to customers,” the researchers wrote.
During their investigation, the researchers said they concluded that the hackers “likely gained access” to the targeted network in April 2023, nearly a year before they deployed the malware and stopped the attack. The hackers continued to access the network in the following months, connecting through a Moscow IP address on Jan. 22, 2024, according to the report.
Despite the Russian IP addresses, Dragos did not point to any specific hacking group or government as responsible for the cyber outages because it was unable to find any links to previous activity or tools and because of the company's long-standing policy of not accepting responsibility for cyberattacks, Graham said.
Graham actually said that he and his colleagues believe the sabotage operation was carried out over the internet rather than by firing missiles at the facility, presumably to undermine the morale of the Ukrainians living there.
“This is very much a psychological effort, and I think it was perhaps facilitated by cyber means at a time when physical means were not the best option,” Graham said.
Finally, Phil Tonking, Dragos' field chief technology officer, said it's important not to underestimate FrostyGoop, but also not to overestimate it.
“It's important to recognize that this is something that is in use,” he said on a conference call with reporters. “And it's also really important that we don't think of this as something that's going to immediately shut down the national grid.”