FrostyGoop malware left 600 Ukrainian households without heat this winter

Avatar

Researchers discovered a new malware variant likely used in an attack this January against an energy company in western Ukraine that left 600 households without heat amid freezing temperatures.

The tool, dubbed FrostyGoop, is one of only a few malware strains ever discovered in the wild that can interact directly with industrial control systems and have a physical effect on the hardware used by targeted enterprises, according to researchers at industrial cybersecurity firm Dragos, which discovered and analyzed it.

Ukraine’s security service (SBU) told Recorded Future News that during the attack the hackers compromised the infrastructure of the Lviv-based energy facility Lvivteploenergo.

“This led to a temporary shutdown of heating and hot water supply for more than 600 households in the city,” the agency’s spokesperson said. “The consequences of the cyberattack were quickly neutralized, and services were restored. The company continued to work as usual.”

According to local media reports at the time, the disruption to Lvivteploenergo affected residents of the Lviv district called Sykhiv, where around 100,000 people live.

FrostyGoop malware

Dragos discovered FrostyGoop in April 2024. The malware is compiled for Windows systems, and hasn’t been detectable by antivirus vendors, researchers said.

The malware targets the popular Modbus protocol used for transmitting data between various devices, typically in industrial automation systems. Researchers said that FrostyGoop is the first malware of its kind that uses Modbus to disrupt systems controlling physical devices.

Modbus is an old protocol that has become an industry standard. However, it is not very secure, Dragos researcher Magpie Graham said during a press briefing.

During the attack on Lviveploenergo, the attackers sent Modbus commands to ENCO controllers designed to control district heating substation modules or boiler plant processes, causing inaccurate measurements and system malfunctions, researchers said.

“Given the ubiquity of the Modbus protocol in industrial environments, this malware can potentially cause disruptions across all industrial sectors by interacting with legacy and modern systems,” researchers said.

Dragos did not attribute FrostyGoop to a particular threat actor but noted that before the incident, attackers were connecting to the energy system’s network from Moscow-based IP addresses.

Russia-linked attacks

Russia has been heavily targeting Ukrainian critical infrastructure with both cyberattacks and missiles. As a result of these attacks, Ukraine’s energy sector has suffered $56 billion in losses, forcing the country to introduce scheduled power outages lasting up to six hours several times a day, leaving people without electricity, internet and often gas and water.

Kremlin-backed hacker groups have previously targeted Ukrainian energy facilities with disruptive cyberattacks, causing even more harm.

Earlier in April, Ukraine’s computer emergency response team (CERT-UA) reported that the Kremlin-controlled hacker group Sandworm had targeted nearly 20 energy facilities in Ukraine that spring, possibly to amplify the impact of intense Russian missile and drone strikes on critical infrastructure.

During the latest attacks on Ukrainian critical infrastructure, the group used a little-known backdoor called Kapeka. CERT-UA also identified new Linux-based variants of Kapeka developed by Sandworm — Loadgrip and Biasboat. They were installed on Ukrainian Linux devices designed to automate technological processes in critical facilities, researchers said.

Ukrainian state officials previously said that Russia is coordinating its missile strikes with cyberattacks, including when targeting energy facilities. Researchers found that Sandworm, in particular, has coordinated the timing of its cyberattacks with conventional military activity, such as kinetic strikes or other forms of sabotage.

CybercrimeGovernmentIndustryNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Previous Post

Russia dismisses US sanctions against members of ‘Cyber Army’ hacktivist group

Next Post

TracFone to pay $16 million to settle FCC cyber and privacy investigation

Related Posts

CISA Alerts to Active Exploitation of Critical Palo Alto Networks Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched critical security flaw impacting Palo Alto Networks Expedition to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2024-5910 (CVSS score: 9.3), concerns a case of missing authentication in the Expedition migration tool that
Avatar
Read More

North Korean Hackers Target Energy and Aerospace Industries with New MISTPEN Malware

A North Korea-linked cyber-espionage group has been observed leveraging job-themed phishing lures to target prospective victims in energy and aerospace verticals and infect them with a previously undocumented backdoor dubbed MISTPEN. The activity cluster is being tracked by Google-owned Mandiant under the moniker UNC2970, which it said overlaps with a threat group known as TEMP.Hermit, which is
Siva Ramakrishnan
Read More

New Grandoreiro Banking Malware Variants Emerge with Advanced Tactics to Evade Detection

New variants of a banking malware called Grandoreiro have been found to adopt new tactics in an effort to bypass anti-fraud measures, indicating that the malicious software is continuing to be actively developed despite law enforcement efforts to crack down on the operation. "Only part of this gang was arrested: the remaining operators behind Grandoreiro continue attacking users all over the
Avatar
Read More