Novel ICS Malware Sabotaged Water-Heating Services in Ukraine

  /     /     /  
Publicated : 23/11/2024   Category : security


Novel ICS Malware Sabotaged Water-Heating Services in Ukraine


Newly discovered FrostyGoop is the first ICS malware that can communicate directly with operational technology systems via the Modbus protocol.



Researchers have tied a January 2024 attack that disrupted heating services in some 600 apartment buildings in Lviv, Ukraine, during sub-zero temperatures to a dangerous new piece of malware designed specifically to target industrial control systems.
The malware, dubbed FrostyGoop by researchers at Dragos who discovered it, is the first known malware that lets threat actors interact directly with operational technology (OT) systems via Modbus, a widely used communication protocol in ICS environments. This makes FrostyGoop especially dangerous because adversaries can use it to broadly attack pretty much any ICS system that uses Modbus for communications,
Dragos said in a report
this week. The security vendor said it was able to find some 46,000 Internet-exposed ICS devices that currently communicate over the protocol. FrostyGoop is only the ninth known malicious tool specifically designed to attack ICS environments.
Modbus is embedded in legacy and modern systems and nearly all industrial sectors, indicating a wide-ranging potential for disrupting and compromising essential services and systems, Dragos said. [FrostyGoop] represents a significant risk to the integrity and functionality of ICS devices, with potentially far-reaching consequences for industrial operations and public safety.
Dragos researchers first encountered FrostyGoop binaries in April 2024 when conducting routine triage of suspicious-looking files at a customer location. Their initial analysis suggested the malware was still in the testing stage, but they quickly revised that assessment after Ukraines Cyber Security Situation Center (CSSC) shared details with Dragos about the January 2024 attack on a district energy company in Lviv.
FrostyGoop, written in Golang and compiled for Windows, allows attackers to directly interact with ICS using Modbus TCP over port 502. An attacker deploying the malware can access and manipulate inputs, outputs, and configuration data in ICS device-holding registers. Device-holding registers are a specific type of data-storage location in industrial systems.
The malware also lets an attacker send unauthorized commands to victim systems.
The cyberattack in Ukraine targeted ENCO-branded heating system controllers at a company that manages a service for distributing hot water to residents in some 600 apartments in Lviv. The attackers used FrostyGoop to send Modbus commands to the controllers that triggered inaccurate measurements and system malfunctions. Incident responders had to work nearly two days to subsequently remediate the issue.  
What the payload did was alter values on the controllers to fool them into thinking the temperature of the water was hotter than it was, so it wouldnt heat the water, said Magpie (Mark) Graham, technical director at Dragos, in a conference call. The result was the company ended up pumping cold water to the apartments instead, he said.
Dragos has not been able to tie the attacker to any previously identified threat actor or activity cluster. But the fact that the adversary used cyber means to disrupt hot water supplies, when a kinetic attack could have worked as well, may have to do with Ukraines defenses being better able to intercept missile attacks from Russia these days, he said.
Dragoss investigation found that the attack began with the threat actors first gaining access to the energy companys network in April 2023 via a still-undetermined vulnerability in an externally facing Microtek router. During a six-day period between April 20 and April 26, 2023, the attacker deployed a Web shell in the victim environment that they used a few months later to exfiltrate user credentials. In January 2024, the attackers established a connection between the compromised environment and an IP address located in Russia.
Because of a lack of network segmentation at the Lviv energy company, the attackers were able to use their initial foothold to move laterally to multiple management servers in the environment and eventually to the companys heating system controllers. As part of the attack chain, the adversaries downgraded the firmware on the controllers to a version not supported by the energy companys system monitoring system deployed at the facility.
The adversaries did not attempt to destroy the controllers, Dragos said. Instead, the adversaries caused the controllers to report inaccurate measurements, resulting in the incorrect operation of the system and the loss of heating to customers.
Graham said it is likely that prior to the attack in Lviv, the threat actors used FrostyGoop to target other controllers with Modbus ports open to the Internet. No network compromise would have been required to gain access to the devices in any instance, he said. These are devices that you or I could access, no problem, from the Internet right now.
ICS-specific malware tools
can be challenging to thwart. But typically, attackers have reserved them only for highly targeted campaigns. Among the better known malware in this category is
Stuxnet
, which attackers used to degrade Irans Uranium enrichment facility in Natanz,
Industroyer/CrashOverride
, which Russias Sandworm group used in attacks on Ukraines power grid, and Havex, which targeted SCADA and ICS environments in Europe.
Dragos recommends ICS environments implement five baseline practices to protect their networks from this malware: network segmentation to mitigate damage; continuous monitoring for improved visibility; secure remote access; risk-based vulnerability management; and strong incident response capabilities.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Novel ICS Malware Sabotaged Water-Heating Services in Ukraine