Russian-linked malware was used in a January 2024 cyberattack to cut off the heating of over 600 apartment buildings in Lviv, Ukraine, for two days during sub-zero temperatures.
According to an LB.UA report, the attack forced district heating company Lvivteploenergo to disconnect heating services on January 23, impacting over 100,000 people across Lviv’s Sykhiv residential area.
FrostyGoop, the Windows malware used in this attack, is designed to target industrial control system (ICS) using the Modbus TCP communications, a standard ICS protocol across all industrial sectors.
It was first discovered by cybersecurity company Dragos in April 2024, whose researchers initially believed it was still under testing. However, Ukraine’s Cyber Security Situation Center (CSSC) shared details that the malware was being used in attacks and linked it with the January heating outage in Lviv.
“During the late evening on 22 January 2024, through 23 January, adversaries conducted a disruption attack against a municipal district energy company in Lviv, Ukraine,” said Dragos, based on information shared by the CSSC.
“At the time of the attack, this facility fed over 600 apartment buildings in the Lviv metropolitan area, supplying customers with central heating. Remediation of the incident took almost two days, during which time the civilian population had to endure sub-zero temperatures.”
FrostyGoop is the ninth ICS malware discovered in the wild, many of which are linked to Russian threat groups and attack infrastructure. Most recently, Mandiant discovered CosmicEnergy, and ESET spotted Industroyer2 being used by Sandworm hackers to target a large Ukrainian energy provider in a failed attack.
Network was breached almost one year earlier
An investigation into the January 2024 cyberattack in Lviv showed that the attackers may have entered Lvivteploenergo’s network almost a year earlier, on 17 April 2023, by exploiting an unidentified vulnerability in an Internet-exposed Mikrotik router.
Three days later, they deployed a webshell that allowed them to maintain access and helped them connect to the breached network in November and December to steal user credentials from the Security Account Manager (SAM) registry hive.
On the day of the attack, the attackers used L2TP (Layer Two Tunnelling Protocol) connections from Moscow-based IP addresses to access the district energy company’s network assets.
Since Lvivteploenergo’s network, including the compromised MikroTik router, four management servers, and the district’s heating system controllers, was not correctly segmented, they could exploit hardcoded network routes and take control of the district’s heating system controllers.
After hijacking them, the attackers downgraded the firmware to versions lacking monitoring capabilities to evade detection.
“Given the ubiquity of the Modbus protocol in industrial environments, this malware can potentially cause disruptions across all industrial sectors by interacting with legacy and modern systems,” Dragos warned.
The company advises industrial organizations to implement the SANS 5 Critical Controls for World-Class OT Cybersecurity, including “ICS incident response, defensible architecture, ICS network visibility and monitoring, secure remote access, and risk-based vulnerability management.”
