BlogNews26TH JUL 2024
AuthorSamir Yawar
3 min read
News

FrostyGoop malware attack shuts off heaters in Ukraine

Twitter
Facebook
WhatsApp
Email
LinkedIn
blog image for frostygoop malware attack post

In January 2024, a cyberattack involving Russian-linked malware disrupted heating for over 600 apartment buildings in Lviv, Ukraine, during severe sub-zero temperatures. The FrostyGoop malware attack, targeting the district heating company Lvivteploenergo, affected more than 100,000 residents in Lviv's Sykhiv residential area.

According to a report by LB.UA, the attack began on January 23, using the FrostyGoop malware, which is designed to target industrial control systems (ICS) via the Modbus TCP communications protocol. This protocol is widely used across various industrial sectors.

How was the FrostyGoop malware attack discovered?

Cybersecurity firm Dragos first identified FrostyGoop in April 2024, initially believing it was still under development. However, Ukraine's Cyber Security Situation Center (CSSC) revealed that the malware had already been deployed in attacks, including the Lviv heating outage.

"During the late evening on 22 January 2024, through 23 January, adversaries conducted a disruption attack against a municipal district energy company in Lviv, Ukraine," Dragos stated, citing CSSC information. 

At the time of the attack, this facility fed over 600 apartment buildings in the Lviv metropolitan area, supplying customers with central heating. Remediation of the incident took almost two days, during which time the civilian population had to endure sub-zero temperatures."

Network was compromised nearly a year ago

The investigation into the January 2024 attack revealed that attackers had infiltrated Lvivteploenergo's network nearly a year earlier, on April 17, 2023, by exploiting a vulnerability in an Internet-exposed Mikrotik router. Three days later, they deployed a webshell, maintaining access and stealing user credentials from the Security Account Manager (SAM) registry hive in November and December.

Lvivteploenergo power plant
A worker taking a peek at monitors at a Lvivteploenergo power plant

On the day of the attack, the perpetrators used L2TP (Layer Two Tunnelling Protocol) connections from Moscow-based IP addresses to access the district energy company's network. Due to inadequate network segmentation, including the compromised MikroTik router, four management servers, and the district's heating system controllers, the attackers exploited hardcoded network routes and took control of the heating system controllers. They then downgraded the firmware to evade detection by removing monitoring capabilities.

"Given the ubiquity of the Modbus protocol in industrial environments, this malware can potentially cause disruptions across all industrial sectors by interacting with legacy and modern systems," Dragos warned.

Preventive measures advised

Dragos advises industrial organizations to adopt the SANS 5 Critical Controls for World-Class OT Cybersecurity for mitigating cybersec risk. These controls include:

  1. ICS incident response

  2. Defensible architecture

  3. ICS network visibility and monitoring

  4. Secure remote access

  5. Risk-based vulnerability management

These measures and a periodic update of cybersecurity best practices can help bolster your organization’s security posture.


Samir Yawar
Samir Yawar / Content Lead
Samir wants a world where people can instinctively whack online scams and feel accomplished without the need for psychic powers. As an ISC2 member, he is doing his bit to turn cybersecurity awareness training into a fun concept with simple, approachable and accessible content. Reach out to him at X @yawarsamir
FAQsFrequently Asked Questions
Data security risks include various threats such as malware, viruses, phishing attacks, hacking attempts, data theft, and identity theft. These threats can cause serious damage, including financial loss, reputational damage, and legal liability. Cybercriminals often target vulnerable systems, networks, and individuals using sophisticated techniques that can be difficult to detect and prevent.
Malware, such as viruses and ransomware, can lead to data breaches, system compromise, loss of control, financial loss, and disruption of operations.