HQ/EMEAFind out how we can help your business
Hackers allegedly used the Russian-linked FrostyGoop malware in a January cyberattack to turn off the heaters in over 600 apartments in Ukraine despite the subzero conditions brought by the winter season.
FrostyGoop, the Windows virus in this attack, is designed explicitly by cybercriminals to target industrial control systems (ICS) using Modbus TCP connections. Researchers uncovered this campaign in April and initially believed it was in its developmental stage.
However, Ukraine’s Cyber Security Situation Center (CSSC) confirmed that the malware was being used in assaults and linked it to the January heating failure in Lviv. Moreover, these malicious entities launched a disruption attempt against a municipal district energy firm in Lviv, Ukraine, in the late evening of 22 January 2024.
The compromised facility supplied central heating to more than 600 residential buildings in the Lviv metropolitan region at the time of the attack. Resolving the incident took nearly two days, during which the civilian population endured in the winter season.
FrostyGoop is the latest ICS malware that compromised Ukraine since March last year.
FrostyGoop is the seventh ICS malware detected in Ukraine, and several others are tied to Russian threat groups and infrastructure.
Another study into the January cyberattack in Lviv also revealed that the attackers may have entered the victim’s network nearly a year earlier, on 17 April 2023, by exploiting an undisclosed flaw in an Internet-exposed Mikrotik router.
Subsequently, they used a webshell to maintain access and connect to the infiltrated network in November and December, where they stole user credentials from the Security Account Manager (SAM) registry hive.
On the day of the attack, the attackers leveraged L2TP connections from Moscow-based IP addresses to access the district energy company’s network assets. Since the network, which included the compromised MikroTik router, four management servers, and the district’s heating system controllers, was not adequately separated, the attackers could exploit hardcoded network routes and gain control of the heating system controllers.
The threat actors modified the firmware to versions that did not include monitoring features to avoid being monitored and analysed. The attack on the Ukrainian heaters shows how cyberattacks could cause severe damage to infrastructure and human lives. Therefore, organisations must fortify their cybersecurity defences for all devices to avoid these threats and prevent such effects.
