Lvivteproenergo did not respond to WIRED’s request for comment, nor did SBU. Ukraine’s cybersecurity agency, the State Special Service for the Protection of Communications and Information, declined to comment.
In his analysis of the attack on the heating plant, Dragos said that FrostyGoop malware was used to target ENCO control devices, a Modbus-enabled industrial monitoring tool sold by Lithuanian company Axis Industries, to change the temperature output and stop the flow of hot water. According to Dragos, the hackers had actually exploited a vulnerable MikroTik router as an entry point to gain access to the network several months prior to the attack, in April 2023. The hackers then set up their own VPN connection on the network, connecting to an IP address in Moscow.
Despite the Russian ties, Dragos said it hasn’t linked the heating intrusion to any known hacker groups that the company tracks. Specifically, Dragos noted that it hasn’t linked the hack to the usual suspects, such as Kamacite or Electrum, Dragos’ own internal names for a notorious unit of Russia’s military intelligence agency, the GRU, collectively known widely as Sandworm.
Dragos found that while the hackers compromised the heating plant’s network to send FrostyGoop Modbus commands to target ENCO devices and cripple the plant’s services, the malware appears to have been hosted on the hacker’s own computer, rather than the victim’s network. This means that simple antivirus alone, rather than network monitoring and segmentation to protect vulnerable Modbus devices, is unlikely to prevent future use of this tool, warns Dragos analyst Mark “Magpie” Graham. “The ability to interact with the device remotely means it doesn’t necessarily need to be deployed into the target environment,” Graham says. “You might never see this malware in your environment, just its effects.”
While the Lviv heating plant’s ENCO devices were attacked from inside the network, Dragos also warned that earlier versions of FrostyGoop it found were configured to attack ENCO devices that were publicly accessible over the open internet. Dragos said that in its own scans it found at least 40 ENCO devices that were similarly left vulnerable online. The company warned that there could in fact be tens of thousands of other Modbus-enabled devices connected to the internet that could be similarly attacked. “We believe FrostyGoop can interact with a huge number of devices, and we’re conducting research to validate which devices are actually vulnerable,” Graham said.
While Dragos has not officially linked the Lviv attack to the Russian government, Graham himself has not hesitated to describe the attack as part of Russia’s war against Ukraine, which has brutally destroyed Ukraine’s critical infrastructure with bombs since 2022 and cyberattacks that began long before that in 2014. Graham argues that the digital targeting of heating infrastructure in the middle of a Ukrainian winter may be a sign of Russia’s return to sabotage through hacking, especially in western Ukraine, as the Ukrainians have improved their ability to shoot down Russian missiles. “Cyber may actually be more efficient and more likely to be successful against cities over there, but kinetic energy weapons may still be effective at closer ranges,” Graham says. “They’re trying to use every tool in their arsenal, full spectrum, full range.”
But even as these tools evolve, Graham describes the hackers’ objective in terms that have remained largely unchanged throughout Russia’s decade of terrorizing its neighbors: psychological warfare aimed at weakening Ukraine’s will to resist. “This is how you chip away at people’s will,” Graham says. “It’s not like we’re going to turn off the heating for the whole winter, but it’s enough to get people thinking: Is this the right thing to do? Should we keep fighting?”
