Cyber Security News

Russian Malware Cuts Off Heaters In 600 Apartments During Zero Temperatures

FrostyGoop represents a significant advancement in industrial control systems (ICS) malware, being the ninth ICS-specific threat and the first to leverage Modbus TCP communications for directly impacting Operational Technology (OT). 

When FrostyGoop uses Modbus for enumeration, unlike PIPEDREAM, which was discovered in 2022, it takes a step forward in sophistication by directly impacting OT in its operations as far as ICS attacks are concerned.

FrostyGoop’s ability to directly manipulate OT systems through Modbus TCP signifies a concerning advancement in the sophistication and potential impact of ICS-targeted cyberattacks. 

Cybersecurity researchers at Dragos recently identified Russian FrostyGoop malware that cuts off the heaters in 600 apartment buildings during zero-degree temperatures.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Russian Malware Cuts Off Heaters

Dragos found that FrostyGoop explicitly targets industrial control systems through Windows by exploiting the Modbus TCP communication.

The use of this particular ICS-specific Malware in a cyber attack on a Ukrainian energy company caused heating to go off for two days.

This global targeting capability of the malware is actually urging the upgrade of ICS network monitoring and security capacities.

FrostyGoop’s innovative design, including its employment of configuration files and customizable attacks based on command-line arguments, represents a major shift in targeted ICS threats.

Here below, we have mentioned the capabilities of FrostyGoop:-

  • Accepts optional command line arguments.
  • Uses config files for target IPs and Modbus commands.
  • Communicates with ICS devices using Modbus TCP.
  • Sends Modbus commands to read/modify ICS data.
  • Logs output to the console or JSON file.

FrostyGoop primarily targets industrial control systems via Modbus TCP protocol on port 502. It connects to specified IP addresses, either provided as an execution argument or in a JSON configuration file. 

The malware implements three Modbus commands, and here below we have mentioned them:- 

  • Command Code 3 (Read Holding Registers)
  • Command Code 6 (Write Single Register)
  • Command Code 16 (Write Multiple Holding Registers)

Using a public Go Modbus library, FrostyGoop sends these commands, processes device responses, then closes the connection and exits. 

This allows the malware to read and manipulate data on target devices, potentially disrupting industrial processes.

FrostyGoop malware logs Modbus TCP communications to a console and optionally to a JSON file, recording start time, target IP, and command details. 

It is believed that in January 2024 it was used in an attack on a heating facility in Lviv, Ukraine that resulted in a service outage during freezing temperatures.

This involved exploiting router vulnerabilities, deploying webshell, and compromising ENCO Controllers.

The global threat posed by FrostyGoop’s ability to interact with various ICS devices through Modbus TCP cannot be ignored.

Among other things, this incident highlights the need for strong OT cybersecurity measures like network segmentation and protection of internet-exposed ICS devices.

Recommendations

Here below we have mentioned all the recommendations offered by the researchers:-

  • Implement strong ICS incident response plans with OT-specific processes and frequent exercises.
  • Create a defensible architecture with appropriate network segmentation and industrial DMZs.
  • Rollout continuous monitoring of the ICS network using protocol-aware tools for detecting abnormalities.
  • Enforce safe remote access protocols that include MFA, VPNs, and strict access control measures.
  • Carry out risk-based vulnerability management focusing on ICS components involving localized assessments and mitigation programs.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

Varshini Senapathi

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

US Department Of Homeland Security Terminates Entire Advisory Committees

In a sweeping directive aimed at streamlining the Department of Homeland Security (DHS) operations, Acting…

3 hours ago

Hackers Exploited 16 0-days & Earned $382,750 – Pwn2Own Automotive 2025

The much-anticipated Pwn2Own Automotive 2025 kicked off today at Tokyo Big Sight, showcasing the cutting…

9 hours ago

Windows File Explorer Elevation Of Privilege Vulnerability(CVE-2024-38100) Exploited

A critical security flaw in Windows File Explorer, identified as CVE-2024-38100, has been actively exploited,…

10 hours ago

1,000+ Malicious Domains Mimic Reddit & WeTransfer To Deliver Malware

Over 1,000 malicious domains have been identified that impersonate popular platforms like Reddit and WeTransfer…

10 hours ago

Helldown Ransomware Exploiting Zyxel Devices Using Zero-Day Vulnerability

A new ransomware threat dubbed "Helldown" has emerged, actively exploiting vulnerabilities in Zyxel firewall devices…

11 hours ago

Ex-CIA Analyst Pleads Guilty To Leaking National Defense Information

A former CIA analyst, Asif William Rahman, 34, pleaded guilty today to unlawfully retaining and…

13 hours ago