Cybersecurity researchers have discovered what they say is the ninth industrial control system (ICS) malware that was used in a disruptive cyber attack targeting an energy company in the Ukrainian city of Lviv in early January of this year.
Industrial cybersecurity firm Dragos named the malware FrostyGoopdescribing it as the first out-of-the-box malware strain Modbus TCP communication to sabotage operational technology (OT) networks. It was discovered by the company in April 2024.
“FrostyGoop is an ICS malware written in Golang that can interact directly with Industrial Control Systems (ICS) using Modbus TCP over port 502,” – Researchers Kyle O’Meara, Magpie (Mark) Graham and Carolyn Ahlers said in a technical report shared with The Hacker News.
The malware, primarily designed to attack Windows systems, is believed to have been used to attack ENCO controllers with TCP port 502 open to the Internet. It was not linked to any previously identified threat actors or activity clusters.
FrostyGoop comes with read and write capabilities to the ICS device, which stores registers containing inputs, outputs, and configuration data. It also accepts optional command-line execution arguments, uses JSON-formatted configuration files to specify target IP addresses and Modbus commands, and logs output to the console and/or to a JSON file.
The incident, which targeted the municipal district energy company, is said to have caused more than 600 apartment buildings to lose heat for nearly 48 hours.
“Adversaries sent Modbus commands to ENCO controllers, causing inaccurate measurements and system failures,” the researchers said at the conference, noting that initial access was likely gained by exploiting a vulnerability in Mikrotik routers in April 2023.
“The adversaries sent Modbus commands to the ENCO controller, causing inaccurate measurements and system failures. It took almost two days to fix.”
Although FrostyGoop makes extensive use of the Modbus protocol for client/server communication, it is far from the only one. In 2022, Dragos and Mandiant detailed another ICS malware DREAM (aka INCONTROLLER) which used various industrial network protocols such as OPC UA, Modbus and CODESYS to communicate.
This too the ninth malware targeting ICS after Stuxnet, Havex, Industroyer (aka CrashOverride), Triton (aka Trisis), BlackEnergy2, Industroyer2 and COSMICENERGY.
The ability of malware to read or modify data on ICS devices using Modbus has serious implications for industrial operations and public safety, Dragos said, adding that more than 46,000 Internet-connected ICS devices share data over the widely used protocol.
“The specific targeting of ICS using Modbus TCP over port 502 and the ability to interact directly with various ICS devices poses a serious threat to critical infrastructure in various sectors,” the researchers said.
“Organizations must prioritize implementing comprehensive cybersecurity frameworks to protect critical infrastructure from similar threats in the future.”
