Cybersecurity experts have identified what they say is the ninth Industrial Control Systems (ICS)-focused malware that has been utilized in a disruptive cyber attack against an energy company in the Ukrainian city of Lviv earlier this January.
Industrial cybersecurity firm Dragos has branded the virus FrostyGoop, claiming it as the first malware strain to directly use Modbus TCP connections to damage operational technology (OT) networks. It was discovered by the business in April 2024."FrostyGoop is an ICS-specific malware written in Golang that can interact directly with Industrial Control Systems (ICS) using Modbus TCP over port 502," researchers Kyle O'Meara, Magpie (Mark) Graham, and Carolyn Ahlers claimed in a technical study published with The Hacker News.
It's thought that the malware, principally geared to attack Windows PCs, has been used to target ENCO controllers with TCP port 502 accessible to the internet. It has not been related to any previously known threat actor or activity cluster.
FrostyGoop provides with features to read and write to an ICS device holding registers containing inputs, outputs, and configuration data. It also accepts optional command line execution options, uses JSON-formatted configuration files to define destination IP addresses and Modbus commands, and logs output to a console and/or a JSON file.
The attack targeting the municipal district energy company is claimed to have resulted in a loss of heating services to more than 600 residential buildings for over 48 hours.
"The adversaries sent Modbus commands to ENCO controllers, causing inaccurate measurements and system malfunctions," the researchers stated in a conference call, noting initial access was likely achieved by exploiting a vulnerability in Mikrotik routers in April 2023.
"The adversary delivered Modbus orders to ENCO controllers, creating erroneous measurements and system failures. Remediation took almost two days."
While FrostyGoop largely leverages the Modbus protocol for client/server connections, it's far from the only one. In 2022, Dragos and Mandiant unveiled another ICS malware termed PIPEDREAM (aka INCONTROLLER) that utilized several industrial network protocols such as OPC UA, Modbus, and CODESYS for interaction.
It's also the ninth ICS-focused virus after Stuxnet, Havex, Industroyer (aka CrashOverride), Triton (aka Trisis), BlackEnergy2, Industroyer2, and COSMICENERGY.
The malware's capacity to read or manipulate data on ICS devices utilizing Modbus has significant ramifications for industrial operations and public safety, Dragos said, adding more than 46,000 internet-exposed ICS appliances interact using the widely-used protocol.
"The specific targeting of ICS using Modbus TCP over port 502 and the potential to interact directly with various ICS devices pose a serious threat to critical infrastructure across multiple sectors," the researchers added.
"Organizations must prioritize the implementation of comprehensive cybersecurity frameworks to safeguard critical infrastructure from similar threats in the future."