Cybersecurity researchers have discovered what they say is the ninth Industrial Control Systems (ICS)-focused malware that has been used in a disruptive cyber attack targeting an energy company in the Ukrainian city of Lviv earlier this January.

Industrial cybersecurity firm Dragos has dubbed the malware FrostyGoop, describing it as the first malware strain to directly use Modbus TCP communications to sabotage operational technology (OT) networks. It was discovered by the company in April 2024.

"FrostyGoop is an ICS-specific malware written in Golang that can interact directly with Industrial Control Systems (ICS) using Modbus TCP over port 502," researchers Kyle O'Meara, Magpie (Mark) Graham, and Carolyn Ahlers said in a technical report shared with The Hacker News.

It's believed that the malware, mainly designed to target Windows systems, has been used to target ENCO controllers with TCP port 502 exposed to the internet. It has not been tied to any previously identified threat actor or activity cluster.

FrostyGoop comes with capabilities to read and write to an ICS device holding registers containing inputs, outputs, and configuration data. It also accepts optional command line execution arguments, uses JSON-formatted configuration files to specify target IP addresses and Modbus commands, and logs output to a console and/or a JSON file.

The incident targeting the municipal district energy company is said to have resulted in a loss of heating services to more than 600 apartment buildings for almost 48 hours.

"The adversaries sent Modbus commands to ENCO controllers, causing inaccurate measurements and system malfunctions," the researchers said in a conference call, noting initial access was likely gained by exploiting an unknown vulnerability in a publicly-accessible Mikrotik router in April 2023.

"The adversaries sent Modbus commands to ENCO controllers, causing inaccurate measurements and system malfunctions. Remediation took almost two days."

While FrostyGoop extensively employs the Modbus protocol for client/server communications, it's far from the only one. In April 2022, Dragos and Mandiant detailed another ICS malware named PIPEDREAM (aka INCONTROLLER) that leveraged various industrial network protocols such as OPC UA, Modbus, and CODESYS for interaction.

It's also the ninth ICS-focused malware discovered in the wild after Stuxnet, Havex, Industroyer (aka CrashOverride), Triton (aka Trisis), BlackEnergy2, Industroyer2, and COSMICENERGY.

The malware's ability to read or modify data on ICS devices using Modbus has severe consequences for industrial operations and public safety, Dragos said, adding more than 46,000 internet-exposed ICS appliances communicate over the widely-used protocol.

"The specific targeting of ICS using Modbus TCP over port 502 and the potential to interact directly with various ICS devices pose a serious threat to critical infrastructure across multiple sectors," the researchers said.

"Organizations must prioritize the implementation of comprehensive cybersecurity frameworks to safeguard critical infrastructure from similar threats in the future."
Update#

The Security Service of Ukraine (SBU) has since confirmed to Recorded Future News that the cyber attack compromised the infrastructure of the Lviv-based energy facility Lvivteploenerg.


Note: If this article has helped, please feel free to share. If you'd like to participate and post an article, please send your submissions to info@certificationpoint.org


—————————————---
MARKETING & PROMOTION
—————————————---

Check Out Our Video!
A Smarter Way To Collaborate: https://m.youtube.com/watch?v=hyRxJvIXNR0

Register @ CertificationPoint!
—————————————
https://www.certificationpoint.org/member/index.php?command=signup_page

Find Out More About Student FreelanceWork EXperience Builders
——————————————————————————--------
http://www.certificationpoint.org/stude ... elance.php

Take An Exam Today @ CertificationPoint
——————————--------------------------
http://certificationpoint.net/register.php

APPRENTICESHIPS @ CERTIFICATIONPOINT
——————————-----------------------------------
http://www.certificationpoint.org/Apprenticeship.php

INVESTING IN CERTIFICATIONPOINT
——————————-----------------------
http://www.certificationpoint.org/invest.php

SOCIAL MEDIA
———————
Find us on Twitter: https://twitter.com/@certpointorg
Find us on Facebook: https://www.facebook.com/CertificationPoint
Find us on Google+: https://plus.google.com/117737803640713546061
Find us on Instagram: https://www.instagram.com/certificationpoint/
Find us on Tumblr: https://www.tumblr.com/blog/certificationpoint
Find us on LinkedIn: https://www.linkedin.com/in/certification-point-65a1642b
Find us on Pinterest: https://www.pinterest.com/certoken/

Additional Options For SHARING CertificationPoint
——————————————————-------------
https://www.scribd.com/document/696921433/CertificationPoint-Manifesto
https://www.scribd.com/document/696921430/CertificationPoint-Student-Poster
https://www.scribd.com/document/696921429/CertificationPoint-Student-Flyer
https://www.scribd.com/document/696921428/CertificationPoint-Inc-Course-Catalog-2024
https://www.scribd.com/document/696921427/CertificationPoint-Magazine