In January 2024, a cyberattack involving Russian-linked malware disrupted heating for over 600 apartment buildings in Lviv, Ukraine, during severe sub-zero temperatures. The FrostyGoop malware attack, targeting the district heating company Lvivteploenergo, affected more than 100,000 residents in Lviv's Sykhiv residential area.
According to a report by LB.UA, the attack began on January 23, using the FrostyGoop malware, which is designed to target industrial control systems (ICS) via the Modbus TCP communications protocol. This protocol is widely used across various industrial sectors.
Cybersecurity firm Dragos first identified FrostyGoop in April 2024, initially believing it was still under development. However, Ukraine's Cyber Security Situation Center (CSSC) revealed that the malware had already been deployed in attacks, including the Lviv heating outage.
"During the late evening on 22 January 2024, through 23 January, adversaries conducted a disruption attack against a municipal district energy company in Lviv, Ukraine," Dragos stated, citing CSSC information.
The investigation into the January 2024 attack revealed that attackers had infiltrated Lvivteploenergo's network nearly a year earlier, on April 17, 2023, by exploiting a vulnerability in an Internet-exposed Mikrotik router. Three days later, they deployed a webshell, maintaining access and stealing user credentials from the Security Account Manager (SAM) registry hive in November and December.
On the day of the attack, the perpetrators used L2TP (Layer Two Tunnelling Protocol) connections from Moscow-based IP addresses to access the district energy company's network. Due to inadequate network segmentation, including the compromised MikroTik router, four management servers, and the district's heating system controllers, the attackers exploited hardcoded network routes and took control of the heating system controllers. They then downgraded the firmware to evade detection by removing monitoring capabilities.
"Given the ubiquity of the Modbus protocol in industrial environments, this malware can potentially cause disruptions across all industrial sectors by interacting with legacy and modern systems," Dragos warned.
Dragos advises industrial organizations to adopt the SANS 5 Critical Controls for World-Class OT Cybersecurity for mitigating cybersec risk. These controls include:
ICS incident response
Defensible architecture
ICS network visibility and monitoring
Secure remote access
Risk-based vulnerability management
These measures and a periodic update of cybersecurity best practices can help bolster your organization’s security posture.