Dragos uncovers new malware FrostyGoop targeting ICS systems

Dragos, a company specialising in cybersecurity for industrial environments, has uncovered a new malware that poses a significant threat to operational technology (OT) infrastructure, such as energy plants and water utilities.

The malware, named FrostyGoop, is noted for its use of Modbus TCP communications, a prevalent protocol in industrial control systems (ICS), to achieve its disruptive effects. This discovery raises alarms about the vulnerability of critical infrastructure to cyber-attacks.

The Cyber Security Situation Center (CSSC), part of the Security Service of Ukraine, reported that a district energy company in Lviv was affected by a cyber-attack utilising this malware.

The incident, which left over 600 apartments without heating for two days, highlights the potential impact FrostyGoop could have on a larger scale if left unmitigated.

Magpie Graham, Principal Adversary Hunter and Technical Director at Dragos, commented on the gravity of the situation.

"We've already identified at least 40 ENCO controllers across Europe which are directly vulnerable to FrostyGoop via the open internet. Malicious actors could access these devices, communicate over Modbus TCP, manipulate control, modify parameters, and send unauthorised command messages," he said.

"Beyond this specific brand of controller, upwards of 46,000 exposed Modbus TCP devices could be subject to similar attacks."

Dragos's report elaborates that FrostyGoop is only the ninth known malware specifically targeting ICS and is unique in its utilisation of Modbus TCP.

This protocol, widely used in industrial environments for communication between controllers and other devices, makes the malware particularly threatening due to its ability to interact with both legacy and modern systems.

The attack in Ukraine was facilitated by several vulnerabilities, including an undetermined flaw in an externally facing Mikrotik router and inadequate network segmentation. The adversaries managed to exploit these weaknesses to access the energy company's network and inject malicious Modbus commands, causing system disruptions and inaccurate measurements.

To mitigate these kinds of threats, Dragos emphasises the importance of ICS network visibility and monitoring of Modbus traffic. It is essential to detect and flag deviations from normal behaviour and identify attack patterns that exploit the Modbus protocol.

"Whilst this particular energy company recovered within two days, the potential risk to unprotected critical infrastructure across Europe and around the world is clear," Graham said.

"As a first step, organisations must secure themselves by utilising network segmentation, along with strict privilege and user access control practices to prevent these kinds of attacks."

The discovery of FrostyGoop highlights the ongoing vulnerabilities within operational technology infrastructures globally. The malware’s ability to interact with ICS devices and execute unauthorised commands underscores the urgent need for enhanced cybersecurity measures.

Dragos's findings serve as a crucial warning and a call to action for industries reliant on ICS to bolster their defences against evolving cyber threats.