This post is also available in:
עברית (Hebrew)
A new type of malware called FrostyGoop targeted a district energy company in western Ukraine, causing malfunctions in heating system controllers, turning off the heating in hundreds of apartment buildings and leaving residents in freezing temperatures in the middle of winter.
Researchers at cybersecurity company Dragos explain that at the time of the attack “the facility fed over 600 apartment buildings in the Lviv metropolitan area, supplying customers with central heating. Remediation of the incident took almost two days, during which time the civilian population had to endure sub-zero temperatures.”
According to Cybernews, although the FrostyGoop malware was first discovered in April, both Dragos and Ukrainian authorities revealed it was also used in the attack in January. Malicious actors reportedly spent months preparing to hit the energy company, accessing the network nearly a year before the attack itself occurred.
Dragos claimed the attackers accessed the victim network in April after exploiting a flaw in an externally facing Mikrotik router. They then deployed a web shell tunnel three days later, and on two occasions attackers retrieved user credentials for further access (in late November and early December).
There is currently no official cybergang or hacking group behind the attack, but the researchers note that on the day of the actual attack, “adversaries initiated L2TP connections to Moscow-based IP addresses.”
What was new about this recent attack was that the malicious actors behind it used Modbus Communications, a communications protocol used to connect IT with operational technology. This protocol has existed for a long time (since 1979), and although the Modbus Organization has managed Modbus protocols since 2004, it is considered an extremely insecure protocol because it offers no encryption.
The researchers concluded: “FrostyGoop’s capabilities to interact with ICS devices via Modbus TCP and its undetected status by antivirus vendors highlight the critical need for robust OT cybersecurity measures. The cyberattack on the municipal district energy company in Lviv, Ukraine, is a stark reminder of the potential real-world impacts of such vulnerabilities.”
