In early January 2024, a devastating cyberattack on a local energy company took place in the Ukrainian city of Lviv. Cybersecurity researchers have discovered a ninth malware targeting industrial control systems (ICS). The new malware, dubbed FrostyGoop, is the first to use Modbus TCP communication to sabotage operational technology (OT) networks.
Dragos, an industrial cybersecurity company, discovered FrostyGoop in April 2024. According to their data, this malware, written in the Golang language, is able to communicate with industrial control systems via port 502 using the Modbus TCP protocol.
FrostyGoop has a wide range of capabilities, including reading and writing data to ICS devices, processing Modbus commands, and logging. The main target of this malware was ENCO controllers that have TCP port 502 open to the Internet.
The incident led to the loss of heating services in more than 600 apartment buildings for almost two days. According to the researchers, the attackers sent Modbus commands to the ENCO controllers, which caused inaccurate measurements and system malfunctions. Initial access was likely gained by exploiting a vulnerability in Mikrotik routers in April 2023.
Although FrostyGoop makes extensive use of the Modbus protocol, it is not the only example of such malware. In 2022, Dragos and Mandiant described another ICS malware called PIPEDREAM, which also used various industrial networking protocols.
The ability of malware to read or modify data on ICS devices using Modbus poses a serious threat to industrial operations and public safety. Dragos notes that more than 46,000 ICS devices available on the Internet communicate using this protocol.
The researchers emphasize the importance of implementing comprehensive cybersecurity systems to protect critical infrastructure from similar threats in the future.
Comments 0