Malware Shuts Down Heating in Ukrainian City

Researchers and Ukrainian authorities report that a cyberattack on Lviv’s energy company left residents without heating for two days in mid-January

Dragos, a cybersecurity company, released a report on Tuesday that provided information regarding FrostyGoop. This new malware purportedly targets industrial control systems, specifically a specific type of heating system controller.

According to their report, Dragos researchers initially identified the malware in April. Dragos believed that FrostyGoop was solely utilized for testing then and possessed no additional information except the malware sample. Nevertheless, Ukrainian authorities later informed Dragos that they had discovered evidence that the malware was actively employed in a cyberattack in Lviv from the late evening of January 22 to January 23.

“During a call with reporters briefed on the report before its release, Magpie Graham, a researcher at Dragos, stated that this led to the loss of heating in over 600 apartment buildings for nearly 48 hours.”

Graham, Kyle O’Meara, and Carolyn Ahlers, researchers at Dragos, stated in the report that “the civilian population was subjected to sub-zero temperatures for nearly two days due to the incident’s remediation.”

This is the third confirmed outage associated with cyberattacks that has affected Ukrainians in recent years. Although the researchers stated that the malware was unlikely to result in widespread disruptions, it indicates a heightened effort by malicious hackers to target critical infrastructure, such as energy grids.

According to Dragos, the FrostyGoop malware is intended to communicate with industrial control devices (ICS) via Modbus, a protocol used for decades to regulate devices in industrial environments. Consequently, FrostyGoop has the potential to infiltrate other companies and facilities worldwide.

Graham informed reporters that at least 46,000 ICS devices are currently Internet-connected and support Modbus.

Dragos reported that FrostyGoop is the ninth malware specifically designed for ICS that it has encountered. The most renowned of these is Industroyer (also known as CrashOverride), employed by the notorious hacking group Sandworm, affiliated with the Russian government, to disable the lights in Kyiv and subsequently disconnect electrical substations in Ukraine.

Dragos has also observed Triton, which was deployed against a Saudi petrochemical plant and an unknown second facility later on, in addition to the cyberattacks targeting Ukraine. Last year, Mandiant detected the CosmicEnergy malware.

According to Dragos researchers, the FrostyGoop malware’s hackers initially obtained access to the network of the municipal energy company they were targeting by exploiting a vulnerability in a Mikrotik router that was exposed to the internet. The researchers stated that the router was not “adequately segmented” compared to other servers and controllers, including one manufactured by ENCO, a Chinese company.

Graham stated in the call that they discovered open ENCO controllers in Lithuania, Ukraine, and Romania, highlighting that the malware could be targeted elsewhere by the hackers in control, even though FrostyGoop was employed in a targeted attack in Lviv this time.
ENCO and its employees did not promptly respond to TechCrunch’s request for comment.

“The controllers were not targeted by the adversaries for destruction.” Instead, the adversaries caused the controllers to report inaccurate measurements, which led to the system’s incorrect operation and the loss of heating to consumers, as stated by the researchers.

The researchers concluded during the investigation that the hackers “possibly gained access” to the targeted network in April 2023, nearly a year before the malware deployment and the subsequent turn-off of the heat. The hackers continued to access the network in the following months, and on January 22, 2024, they connected through Moscow-based IP addresses, as per the report.

Graham stated that Dragos refrained from attributing the cyber-enabled outage to any known hacking group or government despite the Russian IP addresses. This was due to the company’s inability to identify any connections to previous activities or tools, as well as the company’s established policy of not attributing cyberattacks.

Graham indicated that he and his colleagues think this disruptive operation was executed via the Internet rather than by launching missiles at the facility. This was likely done to lower the morale of Ukrainian residents.
Graham stated, “I believe that it is primarily a psychological endeavor, enabled by cyber means when perhaps kinetic methods were not the most appropriate approach.”

Lastly, Phil Tonking, Dragos’ chief technology officer, emphasized the importance of not overhyping FrostyGoop but not underplaying it.
“It is crucial to acknowledge that this is a tool that has been actively employed,” he stated during the press conference. “However, it is equally crucial that we do not assume this will immediately disrupt the nation’s power grid.”