Cybersecurity researchers have discovered what they say is the ninth Industrial Control Systems (ICS)-focused malware that has been used in a disruptive cyber-attack targeting an energy company in the Ukrainian city of Lviv earlier this January.
Industrial cybersecurity firm Dragos has dubbed the malware FrostyGoop, describing it as the first malware strain to directly use Modbus TCP communications to sabotage operational technology (OT) networks. It was discovered by the company in April 2024.
“FrostyGoop is an ICS-specific malware written in Golang that can interact directly with Industrial Control Systems (ICS) using Modbus TCP over port 502,” researchers Kyle O’Meara, Magpie (Mark) Graham, and Carolyn Ahlers said in a technical report.
The malware, primarily targeting Windows systems, is thought to have been used against ENCO controllers with exposed TCP port 502. It hasn’t been associated with any known threat actors or attack patterns.
FrostyGoop has the ability to interact with Industrial Control System (ICS) devices, reading and modifying registers that control inputs, outputs, and configuration settings. It can be customized via command line arguments and uses JSON files to specify targets and Modbus commands. The malware can log its activities to a console or JSON file.
In one notable incident, the malware allegedly disrupted a municipal district energy company, causing a heating outage that affected over 600 apartment buildings for nearly two days.
“The adversaries sent Modbus commands to ENCO controllers, causing inaccurate measurements and system malfunctions,” the researchers said in a conference call, noting initial access was likely gained by exploiting a vulnerability in Mikrotik routers in April 2023. Remediation took almost two days.
FrostyGoop is now the ninth known ICS-targeted malware, following others such as Stuxnet, Havex, Industroyer (CrashOverride), Triton (Trisis), BlackEnergy2, Industroyer2, and COSMICENERGY.
“The specific targeting of ICS using Modbus TCP over port 502 and the potential to interact directly with various ICS devices pose a serious threat to critical infrastructure across multiple sectors,” the researchers said.
“Organizations must prioritize the implementation of comprehensive cybersecurity frameworks to safeguard critical infrastructure from similar threats in the future.”
