Cyber Attack Halts Heating Systems in Ukrainian City Through Malware, Experts Report

Over a two-day span in the latter half of January, residents of Lviv, Ukraine, were left without central heating amidst harsh winter conditions, a scenario attributed to a cyberattack on a local energy provider, as determined by security experts and Ukrainian officials.

The cybersecurity firm Dragos unveiled findings on Tuesday regarding an innovative piece of malware known as FrostyGoop. This malware is crafted to compromise industrial control systems, specifically targeting controllers used in heating systems in this incident.

According to the analysis released by Dragos, the initial discovery of FrostyGoop occurred in April. Initially, the team at Dragos only had a sample of the malware and presumed its use was purely experimental. Yet, subsequent alerts from Ukrainian officials informed them of FrostyGoop’s deployment in an attack on Lviv’s energy infrastructure from the evening of January 22 to January 23.

“The disruption caused more than 600 buildings to go without heating for nearly two days,” mentioned Dragos analyst Magpie Graham in a briefing with journalists about the report before its official release.

The report, co-authored by Dragos analysts Graham, Kyle O’Meara, and Carolyn Ahlers, noted, “The process of fixing the issue spanned nearly two days, a period during which civilians had to withstand temperatures below the freezing point.”

This event marks the third such known power disruption in Ukraine due to cyberattacks in recent times. The researchers highlighted that while such malware poses a low risk of widespread power failures, it reflects an intensified focus by cybercriminals on essential services like energy facilities.

Designed to manipulate industrial control systems (ICS) through the Modbus protocol, a longstanding and globally utilized protocol, FrostyGoop could potentially be leveraged against various enterprises and infrastructure beyond this single incident, Dragos points out.

Graham indicated to the press, “Currently, there are about 46,000 ICS devices exposed to the internet that could be susceptible to Modbus-based attacks.”

FrostyGoop adds to the list of ICS-specific malware that Dragos has encountered, now totaling nine. Noteworthy examples include Industroyer, responsible for blackout incidents in Kyiv and deployed by the infamous Sandworm group linked to the Russian government. Other examples include Triton, employed against a Saudi chemical plant and another facility, and CosmicEnergy, identified by Mandiant last year.

The Dragos team believes that FrostyGoop’s controllers initially gained entry to the energy company’s network by exploiting a vulnerability in a publicly accessible Mikrotik router, which lacked proper network segmentation with servers and other controllers, including those from ENCO, a Chinese manufacturer.

Graham highlighted the discovery of vulnerable ENCO controllers in Lithuania, Ukraine, and Romania, raising concerns that the group behind FrostyGoop could potentially target systems globally.

ENCO did not respond to inquiries for comment from TechCrunch at the time.

“Rather than destroying the system, the attackers caused the controllers to provide false measurements, leading to system malfunctions and the cessation of heating services,” the researchers detailed.

Upon further investigation, researchers deduced that the attackers likely accessed the network as early as April 2023, well before the malware deployment and heating disruption in January 2024, maintaining network presence until then and utilizing connections through IPs based in Moscow, as reported.

While linking the operation to Russian IP addresses, Dragos refrained from assigning blame to any specific hacking groups or governments due to the absence of clear connections to prior activities or tools, aligning with the company’s non-attribution policy, Graham explained.

Graham articulated the belief that such disruptive operations, executed via the internet instead of physical attacks, are likely aimed at demoralizing the Ukrainian populace.

Phil Tonking, Dragos’ field chief technology officer, emphasized the importance of maintaining a balanced perspective on FrostyGoop’s impact, cautioning against both underestimating and overstating its potential threat to national power grids.