A Russia-linked malware dubbed ‘FrostyGoop’ is raising alarm in the cybersecurity world due to the severe risks it poses to critical infrastructure across multiple sectors globally.
FrostyGoop, which had been discovered by researchers in April 2024, has been deployed in a devastating attack on a district energy company in Ukraine, leading to the disruption of the power supply to heating services for hundreds of apartment buildings.
FrostyGoop is the first ICS-specific malware with the ability to use Modbus TCP communications to directly impact operational technology, allowing its operators to potentially disrupt both legacy and modern systems. Researchers are urging enhanced ICS network visibility and monitoring to counter the malware.
FrostyGoop’s Capabilities
Researchers from Dragos noted that the FrostyGoop malware had been written in Golang and compiled for Windows systems, and is able to read and write to ICS devices that often hold various registers containing crucial input, output, and configuration data with the use of the Modbus TCP protocol.
A real-world incident of FrostyGoop was observed in Ukraine, where a cyberattack disrupted heating services to over 600 apartment buildings in Lviv during sub-zero temperatures. The Cyber Security Situation Center of Ukraine shared data with the researchers, reporting that attackers had sent Modbus commands to ENCO controllers, causing system malfunctions that took nearly two days to remediate.
The malware reads and writes data, while logging this output to a console or storing it in a JSON file. FrostyGoop also accepts a JSON-formatted configuration file containing information used to execute Modbus commands on a target device.
Researchers had discovered a sample of the configuration file named task_test.json, with FrostyGoop accepting separate command-line arguments and distinct configuration files to specify target IP addresses and Modbus commands.
The IP address in the identified sample configuration file had belonged to an ENCO control device. ENCO control devices are typically used “for process control in district heating, hot water, and ventilation systems” to monitor sensor parameters such as temperature, pressure, and insulation.
The other fields within FrostyGoop malware configuration files are described below:
Modbus protocol-ready devices are widely used across all industrial sectors and organizations worldwide, making this malware a significant threat to critical infrastructure.
FrostyGoop Implications and Recommendations
Given the widespread usage of the Modbus protocol in industrial environments, the emergence of the FrostyGoop malware raises concerns across all industrial sectors. The malware’s ability to evade detection from antivirus vendors demand the need for specialized OT security measures to protect against its spread.
The researchers recommend implementing the following measures based on the SANS 5 Critical Controls for World-Class OT Cybersecurity, which include:
- ICS INCIDENT RESPONSE: Researchers stressed the need for incident response plans to incorporate specialized responses for OT environments, such as special procedures to quickly isolate affected devices, analyze network traffic for unauthorized Modbus commands, and restoration of usual system operations.
- DEFENSIBLE ARCHITECTURE: A lack of adequate network segmentation and the presence of internet-exposed controllers can leave systems vulnerable to threats like FrostyGoop. To bolster defensible architecture, industrial environments can implement industrial demilitarized zones (DMZs) and enforce strict access controls between the corporate IT network and OT environments.
- ICS NETWORK VISIBILITY & MONITORING: Persistent monitoring of network traffic such as communications over the Modbus protocol is an essential measure of detecting and responding to anomalies and suspicious behavior such as unauthorized access or unusual traffic over port 502.
- SECURE REMOTE ACCESS: Previous deployments of FrostyGoop have exploited vulnerabilities within remote access points. Remote access points can be secured through multi-factor authentication (MFA), logging/monitoring of remote connections, and implementation of virtual private networks (VPNs) to encrypt data in transit, along with regular audits to review access rights and privileges of remote access over a need-to-use basis.
- RISK-BASED VULNERABILITY MANAGEMENT: Active vulnerability management tailored to the risks associated with ICS components through regular assessments can help mitigate vulnerabilities with evidence of active exploitation.
The broad applicability of the threat presented by the FrostyGoop malware demands stronger implementations to secure critical infrastructure and industrial environments worldwide.
