Cybersecurity researchers have discovered a ninth piece of malware targeting industrial control systems (ICS), which was used in a devastating cyberattack that targeted an energy company in the Ukrainian city of Lviv earlier this year.
Industrial cybersecurity company Dragos said the malware Frosty GoopThe company claims that this is the first malware to directly use Modbus TCP communication to disrupt operational technology (OT) networks. The malware was discovered by the company in April 2024.
“FrostyGoop is an ICS-specific malware written in Go that is capable of directly communicating with Industrial Control Systems (ICS) using Modbus TCP over port 502,” researchers Kyle O’Meara, Magpie (Mark) Graham and Carolyn Ahlers wrote in a technical report shared with Hacker News.
The malware is primarily designed to target Windows systems and is believed to have been used on ENCO controllers that have TCP port 502 exposed to the internet. This malware has not been associated with any previously identified threat actors or activity clusters.
FrostyGoop has the ability to read and write to ICS devices that maintain registers containing input, output, and configuration data, it also accepts optional command line execution arguments, uses a JSON formatted configuration file to specify target IP addresses and Modbus commands, and logs output to the console and/or a JSON file.
The attack, which targeted the city’s local energy company, is said to have cut off heating services to more than 600 apartments for nearly 48 hours.
“The attackers sent Modbus commands to ENCO’s controllers, causing inaccurate measurements and system malfunctions,” the researchers said on the call, noting that initial access was likely gained in April 2023 by exploiting a vulnerability in Mikrotik routers.
“The attacker sent Modbus commands to the ENCO controller, causing inaccurate measurements and system malfunctions. Repairs took almost two days.”
While FrostyGoop makes extensive use of the Modbus protocol for client/server communications, it is not the only one: in 2022, Dragos and Mandiant detailed another ICS malware called PIPEDREAM (aka INCONTROLLER) that leveraged a variety of industrial network protocols for its interactions, including OPC UA, Modbus, and CODESYS.
It is also the ninth malware targeting ICS, following Stuxnet, Havex, Industroyer (aka CrashOverride), Triton (aka Trisis), BlackEnergy2, Industroyer2, and COSMICENERGY.
The malware’s ability to read and modify data on ICS devices that use Modbus has serious implications for industrial operations and public safety, Dragos said, adding that more than 46,000 internet-exposed ICS appliances communicate over this widely used protocol.
“The specific targeting of ICS using Modbus TCP over port 502 and the potential to directly interact with a wide range of ICS devices poses a serious threat to critical infrastructure across multiple sectors,” the researchers said.
“Organizations should prioritize the implementation of comprehensive cybersecurity frameworks to protect their critical infrastructure from similar threats in the future.”
