Researchers say that hackers linked to Russia have shut off heat to 600 Ukrainian apartment buildings during the winter.

Adarsh V.KJuly 25, 24 cybersecurity, malware, Russia

Dragos, a cybersecurity firm, has identified malware capable of targeting industrial control systems (ICS) and causing them to engage in harmful actions such as shutting off heating and hot water. According to TechCrunch, this malware, known as FrostyGoop, was responsible for a recent incident in Lviv, Ukraine, where over 600 apartment buildings experienced a two-day loss of heat during freezing temperatures.

Dragos says FrostyGoop is only the ninth known piece of malware designed to target industrial controllers. It is also the first to focus on Modbus, a widely used communications protocol invented in 1979. Modbus is often used in industrial environments, such as Ukraine, which was attacked by FrostyGoop in January.

Ukraine’s Cyber Security Situation Center (CSSC), the country’s government agency responsible for digital security, shared information about the attack with Dragos after detecting the malware in April of this year, months after the attack. Malicious code written in Golang (the Go programming language designed by Google) directly interacts with industrial control systems through an open Internet port (502).

The attackers likely gained access to Lviv’s industrial network in April 2023. Dragos says they did so by “exploiting an unspecified vulnerability in an external Mikrotik router.” They then installed a remote access tool that negated the need to install the malware locally, helping it avoid detection.

The attackers downgraded the controller’s firmware to a version that lacked monitoring features, which helped cover their tracks. Instead of trying to completely dismantle the systems, the hackers caused the controllers to report inaccurate measurements, resulting in heat loss in the middle of a deep freeze.

Dragos has a long-standing policy of neutrality when it comes to cyberattacks, preferring to focus on education without blaming. However, it noted that adversaries opened secure connections (using layer two tunneling protocols) to IP addresses located in Moscow.

“I think this is very much a psychological effort facilitated by cyber means, when kinetic might not have been the best choice,” Dragos researcher Mark “Magpie” Graham told TechCrunch. Lviv is located in the western part of Ukraine, which would be much more difficult for Russia to attack than the eastern cities.

Dragos warns that because the Modbus protocol is ubiquitous in industrial environments, FrostyGoop can be used to disrupt similar systems worldwide. The security company recommends constant monitoring, and notes that FrostyGoop avoided virus detection, underscoring the need for network monitoring to signal future threats before they strike. In particular, Dragos advises ICS operators to use the SANS 5 Critical Controls for World-Class OT Cybersecurity security system, which is an information security framework for operational environments.