Cybersecurity researchers have identified the ninth malware targeting Industrial Control Systems (ICS), dubbed “FrostyGoop,” which was used in a cyber attack against an energy company in Lviv, Ukraine, this January.
Industrial cybersecurity firm Dragos discovered FrostyGoop in April 2024. This malware strain is the first to use Modbus TCP communications directly to sabotage operational technology (OT) networks.
“FrostyGoop is an ICS-specific malware written in Golang that interacts directly with Industrial Control Systems using Modbus TCP over port 502,” researchers Kyle O’Meara, Magpie (Mark) Graham, and Carolyn Ahlers reported in a technical brief shared with The Hacker News.
Primarily targeting Windows systems, the malware attacks ENCO controllers with TCP port 502 exposed to the internet. It has not been linked to any known threat actor or activity group.
FrostyGoop has capabilities to read and write to ICS device holding registers, which contain inputs, outputs, and configuration data. It accepts optional command line arguments, uses JSON-formatted configuration files to specify target IP addresses and Modbus commands, and logs output to a console or JSON file.
The attack on the municipal district energy company resulted in a 48-hour loss of heating services for more than 600 apartment buildings. The researchers noted that the attackers likely exploited a vulnerability in Mikrotik routers in April 2023 to gain initial access.
“The adversaries sent Modbus commands to ENCO controllers, causing inaccurate measurements and system malfunctions,” the researchers stated. “Remediation took almost two days.”
While FrostyGoop extensively uses the Modbus protocol for client/server communications, it is not unique. In 2022, Dragos and Mandiant detailed another ICS malware, PIPEDREAM (aka INCONTROLLER), which leveraged various industrial network protocols such as OPC UA, Modbus, and CODESYS.
FrostyGoop is the ninth ICS-focused malware, following Stuxnet, Havex, Industroyer (aka CrashOverride), Triton (aka Trisis), BlackEnergy2, Industroyer2, and COSMICENERGY.
Dragos emphasized that the malware’s ability to read or modify data on ICS devices using Modbus has severe consequences for industrial operations and public safety. More than 46,000 internet-exposed ICS appliances communicate over this widely-used protocol.
“The specific targeting of ICS using Modbus TCP over port 502 and the potential to interact directly with various ICS devices pose a serious threat to critical infrastructure across multiple sectors,” the researchers said.
“Organizations must prioritize the implementation of comprehensive cybersecurity frameworks to safeguard critical infrastructure from similar threats in the future.”