For two days in mid-January, some residents of Lviv, Ukraine, were left without central heating and suffering freezing temperatures due to a cyberattack on a local energy company, security researchers and Ukrainian authorities have concluded.
On Tuesday, cybersecurity firm Dragos released a report detailing a new malware it calls FrostyGoop. The company said the malware is designed to target industrial control systems, in this case a type of heating system controller.
Dragos researchers wrote in their report that they first detected the malware in April. At the time, Dragos had no additional information about FrostyGoop beyond the malware sample, and believed it was only used for testing. However, Ukrainian authorities later alerted Dragos that they had found evidence that the malware was actively used in cyberattacks in Lviv between the late evening of January 22 and January 23.
“It caused over 600 apartment buildings to lose heat for almost 48 hours,” Dragos researcher Magpie Graham told reporters briefed on the report’s release.
“It took nearly two days to recover from the incident, during which time civilians endured sub-zero temperatures,” Dragos researchers Graham, Kyle O'Meara, and Carolyn Allers wrote in the report.
This is the third known disruption linked to a cyberattack targeting Ukrainians in recent years. While researchers say the malware is unlikely to cause widespread disruption, it shows a growing effort by malicious hackers to attack critical infrastructure such as energy grids.
According to Dragos, the FrostyGoop malware is designed to interact with industrial control devices (ICS) via Modbus. Modbus is a widely used protocol for controlling devices in industrial environments worldwide for decades. This means that FrostyGoop can be used to attack other companies and facilities anywhere.
“There are at least 46,000 Internet-exposed ICS devices that currently accept Modbus,” Graham told reporters.
Dragos said this is the ninth ICS-specific malware FrostyGoop has encountered in the past few years. The most notorious of these was Industroyer (also known as CrashOverride), which was used by the infamous Russian government-linked hacking group Sandworm to turn off lights in Kiev and later to disconnect a power substation in Ukraine. In addition to the cyberattacks targeting Ukraine, Dragos also discovered Triton, which was deployed at a Saudi petrochemical plant and a second, undisclosed facility, as well as CosmicEnergy, which Mandiant discovered last year.
Contact Us
Do you have any more information about this cyber attack? Or are there similar attacks targeting ICS in Ukraine and beyond? You can securely contact Lorenzo Franceschi-Bicchierai on Signal at +1 917 257 1382 from a non-work device, or via Telegram and Keybase @lorenzofb, or by email. You can also contact TechCrunch via SecureDrop.
Dragos researchers wrote that they believe the hackers behind the FrostyGoop malware first gained access to the targeted municipal energy company’s network by exploiting vulnerabilities in internet-exposed Mikrotik routers. The researchers said the routers were not “properly segmented” along with other servers and controllers, including one made by Chinese company ENCO.
Graham said in a phone call that he had found ENCO control devices exposed in Lithuania, Ukraine, and Romania, again emphasizing that while FrostyGoop was used in a targeted attack in Lviv, hackers in control could deploy the malware elsewhere as well.
ENCO and its staff did not immediately respond to TechCrunch's request for comment.
“The adversaries did not attempt to destroy the controller. Instead, they caused the controller to report inaccurate measurements, which resulted in the system not functioning properly and customers not receiving heat,” the researchers wrote.
During their investigation, the researchers concluded that the hackers “likely gained access” to the target network in April 2023, nearly a year before deploying the malware and turning the heat on. The hackers continued to access the network in the following months, connecting via a Moscow-based IP address on January 22, 2024, according to the report.
Graham said Dragos did not pinpoint any specific hacking group or government as responsible for the cyberattack, despite the Russian IP address. Graham said this is because the company could not find a connection to previous activity or tools, and it has been a long-standing policy of the company not to hold anyone accountable for cyberattacks.
What Graham said was that he and his colleagues believed the destructive operation was carried out not by launching missiles at the facility, but via the Internet, perhaps as an attempt to demoralize the Ukrainian population living there.
“I think the psychological effort facilitated by cyber means is very important here,” Graham said. “The physical effort may not have been the best option here.”
Finally, Phil Tonkin, Dragos’ Chief Technology Officer, said FrostyGoop’s value shouldn’t be underestimated, but it shouldn’t be overestimated either.
“It’s important to recognize that this is something that has been actively used,” he said during a press conference. “It’s also very, very important not to think that this is going to immediately take down the nation’s power grid.”
