Russia-Linked Hackers Disrupt Heat in 600 Ukrainian Apartments During Winter, Researchers Report

Cybersecurity firm Dragos has uncovered a sophisticated malware attack, named FrostyGoop, that targeted industrial control systems (ICS) in Ukraine, causing significant disruptions. This malware incapacitated heating in over 600 apartment buildings in Lviv during the peak of winter, leaving residents without heat for two days in freezing conditions.

The Attack and Its Implications

FrostyGoop is identified as only the ninth malware designed specifically for ICS, making it a rare and dangerous threat. Unlike previous malware, FrostyGoop targets the Modbus protocol, a crucial communication standard in industrial environments since its creation in 1979. The Ukrainian Cyber Security Situation Center (CSSC) provided vital information to Dragos after detecting the malware in April, months after the attack occurred in January.

The attackers exploited a vulnerability in a Mikrotik router, gaining access to Lviv’s industrial network in April 2023. By installing a remote access tool, they avoided the need for local malware installation, helping to bypass detection. The hackers then downgraded controller firmware to versions lacking monitoring capabilities, masking their activities and causing the heating outage by manipulating system measurements.

The Psychological Impact

Mark “Magpie” Graham, a researcher at Dragos, emphasized the psychological warfare aspect of the attack, noting its strategic timing and location in western Ukraine, a region more challenging for Russia to target kinetically. The attackers used secure connections to Moscow-based IP addresses, indicating possible Russian involvement.

Broader Implications and Recommendations

Dragos warns that FrostyGoop’s targeting of the Modbus protocol signifies a potential threat to industrial systems globally. The firm stresses the importance of continuous monitoring and recommends using the SANS 5 Critical Controls for World-Class OT Cybersecurity framework to safeguard ICS environments. This framework offers strategies to detect and mitigate such threats, emphasizing the need for vigilant network monitoring.