Cybersecurity researchers have found what they are saying is the ninth Industrial Management Techniques (ICS)-focused malware that has been utilized in a disruptive cyber assault concentrating on an power firm within the Ukrainian metropolis of Lviv earlier this January.
Industrial cybersecurity agency Dragos has dubbed the malware FrostyGoop, describing it as the primary malware pressure to instantly use Modbus TCP communications to sabotage operational expertise (OT) networks. It was found by the corporate in April 2024.
“FrostyGoop is an ICS-specific malware written in Golang that may work together instantly with Industrial Management Techniques (ICS) utilizing Modbus TCP over port 502,” researchers Kyle O’Meara, Magpie (Mark) Graham, and Carolyn Ahlers stated in a technical report shared with The Hacker Information.
It is believed that the malware, primarily designed to focus on Home windows methods, has been used to focus on ENCO controllers with TCP port 502 uncovered to the web. It has not been tied to any beforehand recognized menace actor or exercise cluster.
FrostyGoop comes with capabilities to learn and write to an ICS machine holding registers containing inputs, outputs, and configuration knowledge. It additionally accepts non-obligatory command line execution arguments, makes use of JSON-formatted configuration recordsdata to specify goal IP addresses and Modbus instructions, and logs output to a console and/or a JSON file.
The incident concentrating on the municipal district power firm is claimed to have resulted in a lack of heating providers to greater than 600 house buildings for nearly 48 hours.
“The adversaries despatched Modbus instructions to ENCO controllers, inflicting inaccurate measurements and system malfunctions,” the researchers stated in a convention name, noting preliminary entry was seemingly gained by exploiting a vulnerability in Mikrotik routers in April 2023.
“The adversaries despatched Modbus instructions to ENCO controllers, inflicting inaccurate measurements and system malfunctions. Remediation took virtually two days.”
Whereas FrostyGoop extensively employs the Modbus protocol for consumer/server communications, it’s miles from the one one. In 2022, Dragos and Mandiant detailed one other ICS malware named PIPEDREAM (aka INCONTROLLER) that leveraged numerous industrial community protocols equivalent to OPC UA, Modbus, and CODESYS for interplay.
It is also the ninth ICS-focused malware after Stuxnet, Havex, Industroyer (aka CrashOverride), Triton (aka Trisis), BlackEnergy2, Industroyer2, and COSMICENERGY.
The malware’s skill to learn or modify knowledge on ICS gadgets utilizing Modbus has extreme penalties for industrial operations and public security, Dragos stated, including greater than 46,000 internet-exposed ICS home equipment talk over the widely-used protocol.
“The particular concentrating on of ICS utilizing Modbus TCP over port 502 and the potential to work together instantly with numerous ICS gadgets pose a critical menace to crucial infrastructure throughout a number of sectors,” the researchers stated.
“Organizations should prioritize the implementation of complete cybersecurity frameworks to safeguard crucial infrastructure from comparable threats sooner or later.”