Novel ICS Malware ‘FrostyGoop’ Aiming at Vital Infrastructure
A group of digital security investigators have found what they claim is the latest Industrial Control Systems (ICS)-focused malware that has been employed in a disruptive cyber assault aimed at an energy firm in the Ukrainian city of Lviv earlier this January.
The cybersecurity firm specializing in industrial security, Dragos, has named the malware FrostyGoop. They depict it as the initial malware variant that directly utilizes Modbus TCP communications to tamper with operational technology (OT) networks. The malware was spotted by the company in April 2024.
“FrostyGoop is an ICS-specific malware coded in Golang that can communicate directly with Industrial Control Systems (ICS) using Modbus TCP via port 502,” researchers Kyle O’Meara, Magpie (Mark) Graham, and Carolyn Ahlers mentioned in a technical report shared with The Hacker News.
It is assumed that the malware, predominantly intended for Windows systems, has been employed to attack ENCO controllers with TCP port 502 exposed to the web. It has not been linked to any previously recognized threat actor or activity group.
FrostyGoop has functionalities to read and compose data to an ICS gadget retaining registers containing inputs, outputs, and configuration information. It additionally allows optional command line execution arguments, makes use of JSON-formatted setup files to specify target IP addresses and Modbus commands, and records output to a console and/or a JSON file.
The incident targeting the municipal district energy company is reported to have caused a shutdown of heating services to over 600 apartment buildings for nearly 48 hours.
“The adversaries transmitted Modbus commands to ENCO controllers, leading to inaccurate readings and system malfunctions,” the researchers declared in a teleconference, indicating initial access was possibly obtained by exploiting a vulnerability in Mikrotik routers in April 2023.
“The adversaries sent Modbus commands to ENCO controllers, causing inaccurate measurements and system malfunctions. Rectification took almost two days.”
Although FrostyGoop significantly uses the Modbus protocol for client/server communications, it is not the sole one. In 2022, Dragos and Mandiant outlined another ICS malware named PIPEDREAM (also known as INCONTROLLER) that took advantage of various industrial network protocols such as OPC UA, Modbus, and CODESYS for interaction.
It is also the ninth ICS-focused malware after Stuxnet, Havex, Industroyer (also known as CrashOverride), Triton (also known as Trisis), BlackEnergy2, Industroyer2, and COSMICENERGY.
The malware’s capability to read or alter data on ICS devices using Modbus has severe repercussions for industrial operations and public safety, Dragos stated, highlighting that more than 46,000 internet-exposed ICS devices communicate over the commonly used protocol.
“The targeted focusing of ICS utilizing Modbus TCP over port 502 and the potential to communicate directly with different ICS devices present a grave risk to vital infrastructure spanning multiple sectors,” the researchers cautioned.
“Organizations need to prioritize the implementation of comprehensive cybersecurity frameworks to protect critical infrastructure from similar threats in the future.”
About Author
