Hackers tied to Russia cut heat to 600 Ukrainian buildings in winter
Search our blog for articles and insights right here, just type your interest and dive into a world of knowledge.
Popular articles
New Malware Targets Industrial Control Systems in Ukraine
A cybersecurity company, Dragos, has identified a new form of malware that specifically attacks industrial control systems (ICS), causing them to perform harmful actions. This malware, named FrostyGoop, reportedly resulted in over 600 apartment buildings in Lviv, Ukraine, losing heat for two days this January amid freezing temperatures.
Unique Nature of FrostyGoop
FrostyGoop stands out as it is only the ninth known malware designed to target industrial controllers. It holds the distinction of being the first to target Modbus, a widely used communications protocol invented in 1979. Modbus is common in industrial settings like the one in Lviv affected by this attack.
Details of the Attack
Ukraine’s CSSC, the government agency responsible for digital safety, discovered the malware in April, identifying its presence months after the attack. The malicious software, written in Google’s Golang, directly interacts with industrial control systems through an open internet port (502). The attackers gained network access by exploiting an unknown vulnerability in an externally facing Mikrotik router.
They installed a remote access tool that eliminated the need for local malware installation, aiding in evading detection. Additionally, they downgraded the controller firmware to a version that lacked monitoring capabilities, obscuring their activities. Instead of shutting systems down, the hackers manipulated the controllers to supply inaccurate measurements, leading to the heat loss.
Potential Adversaries and Motives
Though Dragos avoids attributing blame in cyberattacks, it noted that the adversaries created secure connections to Moscow-based IP addresses using layer two tunneling protocol. Mark “Magpie” Graham, a Dragos researcher, suggested a psychological motive behind the attack, asserting that cyber means were preferred over kinetic actions, especially as Lviv in Western Ukraine is harder to strike compared to cities in the east.
Broader Implications
The use of the Modbus protocol globally in industrial environments raises concerns about the potential for similar disruptions worldwide. FrostyGoop's ability to evade virus detection has prompted Dragos to recommend continuous monitoring of ICS networks. They emphasized the importance of detecting threats proactively to prevent future incidents.
Security Recommendations
Dragos advises ICS operators to adopt the SANS 5 Critical Controls for World-Class OT Cybersecurity, a recommended security framework tailored for operational environments. This proactive approach could help mitigate risks and enhance security measures against new and evolving threats.
