Summarize

Simplifying... Inshort

A malware named FrostyGoop exploited a vulnerability in a router to infiltrate Ukraine's municipal energy provider's network, leading to a shutdown of the heating system.
The hackers, who remained unidentified, spent nearly a year preparing for the attack, causing the system to report false measurements and disrupting heat supply.
The incident raises concerns about potential similar attacks in other countries.

Was a long read? Making it simpler...

Next Article

The outage lasted for 2 days

This malware shut down Ukraine's heat and we are worried

By Dwaipayan Roy

Jul 23, 2024

07:20 pm

What's the story

In a cyberattack this January, over 600 apartment buildings in Lviv, Ukraine experienced a two-day heating system outage, due to a malware named 'FrostyGoop.' The report by cybersecurity firm Dragos revealed that the malware targeted the Modbus industrial communication protocol. Modbus is widely used across the world to control devices in industrial environments. The creators of FrostyGoop remain unidentified, with Dragos tracking them under code TAT2024-24.

Malware characteristics

A unique threat to industrial-controlled systems

FrostyGoop, written using Go and other open-source software libraries, is the ninth unique piece of industrial control systems (ICS)-focused malware used in disruptions or attacks. Dragos has not attributed this malware to any specific threat actor. The attackers reportedly compromised Lviv's municipal energy provider's networks 10 months prior to the attack, through a vulnerability in a Microtik router. They spent the rest of the year preparing for the attack, including obtaining user credentials for the energy system.

Steps

Preparations for the attack

The researchers believe that hackers first gained access to the targeted municipal energy company's network by exploiting a vulnerability in an internet-exposed Mikrotik router. The router was not "adequately segmented" along with other servers and controllers, including one made by ENCO, a Chinese company. Graham noted that they found open ENCO controllers in Lithuania, Ukraine, and Romania, indicating that the hackers could potentially target the malware elsewhere.

Process

How did the attack happen?

The researchers stated that the hackers did not attempt to destroy the controllers but caused them to report inaccurate measurements, leading to incorrect operation of the system and loss of heating to customers. The researchers concluded that the hackers possibly gained access to the targeted network in April 2023, almost a year before deploying the malware and turning off the heat. On January 22, 2024, they connected through Moscow-based IP addresses.