Analysis Summary

In January 2024, cybersecurity researchers discovered FrostyGoop, the ninth known Industrial Control Systems (ICS)-focused malware used in a cyberattack targeting an energy company in Lviv, Ukraine.

An industrial cybersecurity firm identified FrostyGoop as the first malware strain to utilize Modbus TCP communications to disrupt operational technology (OT) networks directly. The malware written in Golang and designed mainly to target Windows systems was found to interact directly with ICS using Modbus TCP over port 502. Researchers said that FrostyGoop targets ENCO controllers exposed to the internet but has not been linked to any known threat actor.

FrostyGoop can read and write to ICS device holding registers containing inputs, outputs, and configuration data. It supports optional command line execution arguments, uses JSON-formatted configuration files to specify target IP addresses and Modbus commands, and logs output to a console or JSON file. The malware caused significant disruption leading to a loss of heating services for over 600 apartment buildings for nearly 48 hours by sending Modbus commands to ENCO controllers. Researchers believe the initial access was gained by exploiting a vulnerability in Mikrotik routers in April 2023.

This incident highlights the severe consequences of malware targeting ICS using Modbus TCP, a widely used protocol in industrial operations. FrostyGoop’s ability to manipulate data on ICS devices underscores the potential risks to public safety and critical infrastructure. The attack on the Lviv energy company caused inaccurate measurements and system malfunctions, requiring almost two days for remediation. Despite the extensive use of Modbus in this malware, it is not the only ICS malware. Others include PIPEDREAM, Stuxnet, Havex, Industroyer, Triton, BlackEnergy2, Industroyer2, and COSMICENERGY.

Researchers emphasized the critical need for organizations to implement comprehensive cybersecurity frameworks to protect critical infrastructure from similar threats. With over 46,000 internet-exposed ICS appliances communicating via Modbus, the specific targeting of ICS using Modbus TCP over port 502 poses a significant threat across multiple sectors. The researchers call for heightened cybersecurity measures to safeguard against the growing threats to ICS and OT networks.

Impact

• Operational Disruption
• Data Manipulation
• Command Execution

Remediation

• Ensure all systems, especially those using Mikrotik routers, are updated with the latest security patches to close known vulnerabilities.
• Isolate ICS networks from corporate networks and the internet using firewalls and VLANs to prevent unauthorized access.
• Restrict access to Modbus TCP port 502 and use network access control lists (ACLs) to limit communications to trusted devices.
• Implement continuous network monitoring to detect and respond to unusual or unauthorized Modbus TCP traffic.
• Deploy IDS to identify suspicious activities and potential intrusions on the ICS network.
• Use strong, multi-factor authentication for accessing ICS and OT systems to reduce the risk of unauthorized access.
• Perform regular security assessments and penetration testing to identify and mitigate potential vulnerabilities.
• Develop and regularly update an incident response plan specific to ICS/OT environments to ensure quick and effective responses to security breaches.
• Provide ongoing cybersecurity training for employees, focusing on recognizing phishing attempts and other social engineering attacks.
• Regularly backup ICS configuration and critical data, ensuring backups are stored securely and tested for reliability.
• Apply security controls such as antivirus, endpoint protection, and application whitelisting on all systems interfacing with ICS devices.
• Restrict remote access to ICS networks and ensure any necessary remote connections are secure and monitored.
• Regularly review and harden the configurations of ICS devices and controllers to minimize the attack surface.