Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,176
- Points
- 113
Dragos reveals details of the malware targeting ICS systems.
In January, Ukraine faced a cyberattack that left hundreds of Lviv residents without heating for 2 days. The attackers used previously unknown FrostyGoop malware that targets ICS systems. In a new report, Dragos specialists described the work of the malware.
FrostyGoop was the first virus to directly use the Modbus TCP protocol to sabotage Operational Technology (OT) networks. The virus was first identified by the company in April 2024. FrostyGoop is written in Golang and can communicate directly with ICS systems via Modbus TCP on port 502. The virus mainly targets Windows systems and uses ENCO controllers with open access to port 502 on the Internet.
The malware can read and write data to ICS devices, manage registers containing input and output data, as well as configuration information. FrostyGoop uses configuration files in JSON format to specify target IP addresses and Modbus commands, and writes the results to the console and/or to a JSON file.
The cyberattack targeted a municipal company that provides centralized heating to more than 600 apartment buildings in Lviv. The FrostyGoop malware changed the values on the temperature controllers, causing cold water to be supplied instead of hot. Residents of the city were left without heating and hot water for almost 48 hours.
Attackers sent Modbus commands to ENCO controllers, which caused incorrect measurements and system failures. It took almost 2 days to eliminate the consequences of the attack. Initial access to the systems was likely obtained through a vulnerability in Mikrotik routers in April 2023.
Despite the widespread use of the Modbus protocol for client-server communications, FrostyGoop is not the only example of such software. In 2022, Dragos and Mandiant introduced another malware for ICS called PIPEDREAM (INCONTROLLER), which used various industrial network protocols to interact with systems.
The researchers emphasized that the targeted use of Modbus TCP on port 502 and the ability to interact directly with various ICS devices poses a serious threat to critical infrastructure in various sectors. Organizations should prioritize implementing comprehensive cybersecurity systems to protect critical infrastructure from similar threats in the future.
Source
In January, Ukraine faced a cyberattack that left hundreds of Lviv residents without heating for 2 days. The attackers used previously unknown FrostyGoop malware that targets ICS systems. In a new report, Dragos specialists described the work of the malware.
FrostyGoop was the first virus to directly use the Modbus TCP protocol to sabotage Operational Technology (OT) networks. The virus was first identified by the company in April 2024. FrostyGoop is written in Golang and can communicate directly with ICS systems via Modbus TCP on port 502. The virus mainly targets Windows systems and uses ENCO controllers with open access to port 502 on the Internet.
The malware can read and write data to ICS devices, manage registers containing input and output data, as well as configuration information. FrostyGoop uses configuration files in JSON format to specify target IP addresses and Modbus commands, and writes the results to the console and/or to a JSON file.
The cyberattack targeted a municipal company that provides centralized heating to more than 600 apartment buildings in Lviv. The FrostyGoop malware changed the values on the temperature controllers, causing cold water to be supplied instead of hot. Residents of the city were left without heating and hot water for almost 48 hours.
Attackers sent Modbus commands to ENCO controllers, which caused incorrect measurements and system failures. It took almost 2 days to eliminate the consequences of the attack. Initial access to the systems was likely obtained through a vulnerability in Mikrotik routers in April 2023.
Despite the widespread use of the Modbus protocol for client-server communications, FrostyGoop is not the only example of such software. In 2022, Dragos and Mandiant introduced another malware for ICS called PIPEDREAM (INCONTROLLER), which used various industrial network protocols to interact with systems.
The researchers emphasized that the targeted use of Modbus TCP on port 502 and the ability to interact directly with various ICS devices poses a serious threat to critical infrastructure in various sectors. Organizations should prioritize implementing comprehensive cybersecurity systems to protect critical infrastructure from similar threats in the future.
Source
