In mid-January,a cyberattack left residents of Lviv,Ukraine,without central heating for two days,exposing them to freezing temperatures.Security researchers and Ukrainian authorities have confirmed that the attack targeted a municipal energy company using a newly identified malware called FrostyGoop.
Details of the Cyberattack
On Tuesday,cybersecurity firm Dragos released a report detailing FrostyGoop,which is designed to target industrial control systems,specifically heating system controllers.Dragos first detected the malware in April,initially believing it was only for testing.However,Ukrainian authorities later informed Dragos that the malware had been used in a cyberattack on Lviv from January 22 to January 23.
This attack disrupted heating for over 600 apartment buildings for nearly 48 hours,according to Dragos researcher Mark“Magpie”Graham.The Security Council of Ukraine confirmed the attack,stating that the incident affected more than 600 households and targeted the information and communication infrastructure of LvivTeploEnergo,a major heat and hot water supplier.The council noted that the cyberattack’s consequences were swiftly neutralized,and services were restored.
Impact and Implications
The incident marks the third known cyberattack-related outage in Ukraine in recent years.While FrostyGoop’s design suggests it could cause disruptions beyond Lviv,Dragos emphasized that it is unlikely to lead to widespread outages.Nonetheless,the malware’s ability to interact with industrial control devices using the widely-used Modbus protocol indicates it could be a threat to other companies and facilities globally.
Dragos identified at least 46,000 internet-exposed ICS devices using Modbus,making them potential targets for FrostyGoop.This malware is the ninth ICS-specific malware Dragos has encountered,following notable examples like Industroyer(used by the Russian-linked Sandworm group)and Triton(deployed against a Saudi petrochemical plant).
Method of Attack
Researchers believe hackers accessed the municipal energy company’s network by exploiting a vulnerability in a MikroTik router,which was not adequately segmented from other servers and controllers,including one made by the Chinese company ENCO.Open ENCO controllers were found in Lithuania,Ukraine,and Romania,suggesting potential future targets.
The attackers did not destroy the controllers but caused them to report inaccurate measurements,leading to system malfunctions and heating loss.Dragos found that hackers likely gained network access in April 2023 and maintained it,connecting via Moscow-based IP addresses in January 2024.
Attribution and Motivation
Dragos did not attribute the attack to any specific hacking group or government,citing a lack of ties to previous activities and tools and the company’s policy against attributing cyberattacks.However,Graham suggested the operation was intended to undermine Ukrainian morale through psychological means rather than kinetic attacks.
Dragos’Phil Tonkin emphasized the importance of neither underplaying nor overhyping FrostyGoop.While it is a significant threat,it is not immediately capable of bringing down a nation’s power grid.
This article was updated to include comments from the Security Council of Ukraine.