For a malware thatโs been described as โsimple,โ the consequences have been immense.
Dragos calls it โFrostyGoop,โ and the latest attack method for industrial-controlled systems (ICS) uses Modbus protocols to infiltrate its targets.
Discovered in April of this year, FrostyGoop has already been blamed for a significant disruption in Ukraine in January, where 600 apartment buildings went without heat for two days after the attack of a residential energy firm.
Dragos cites concerns specific to FrostyGoop, claiming the malware is the first ICS-focused malware using the Modbus protocol to cause โa physical disruption to operational technology (OT).โ
Further risks could be apparent down the line. Dragos says the Ukraine attack stemmed from nefarious Modbus commands to controllers, creating system malfunctions and inaccurate measurements. And while the threat is not being blamed on any one actor or group, it's important to note that it was derived from open source software.
A cause for concern, FrostyGoop appears to be leveraged to target once-obscure operations, including waterworks and utilities. This, combined with the widespread use of Modbus devices globally, has led Dragos to sound the alarm, saying there is "an urgent need" for security teams to bolster ICS network visibility and better monitor Modbus traffic.
Investigation into the Ukraine attack has led to the conclusion that the operatives had months of access after first infiltrating the Modbus -- setting up the attack and then gaining user credentials. Notably the utility attack took place amid the aftermath of separate cyber attacks on Ukraine's postal service and its largest oil and gas company.
Mark Graham, technical director and principal adversary hunter at Dragos, told CyberScoop that itโs getting easier for low-cost attacks to impact industrial systems, "regardless if they are carried out by state-backed hackers and financially motivated cybercriminals." Simply put: just because it's a less sophisticated tool doesn't make it less dangerous.