New Malware ‘FrostyGoop’ Targets Energy Company

Cybersecurity researchers have discovered what they identify as the ninth Industrial Control Systems (ICS)-focused malware. This malware was used in a disruptive cyber attack targeting an energy company.

Industrial cybersecurity firm has named the malware FrostyGoop. They describe it as the first malware to directly use Modbus TCP communications to sabotage operational technology (OT) networks. The malware was found by the company in April 2024.

“FrostyGoop is an ICS-specific malware written in Golang that can interact directly with Industrial Control Systems (ICS) using Modbus TCP over port 502,” researchers explained in a technical report.

This malware mainly targets Windows systems and specifically attacks ENCO controllers with TCP port 502 exposed to the internet. So far, it has not been linked to any known threat actors or activity clusters.

FrostyGoop has the ability to read and write to an ICS device’s holding registers, which contain inputs, outputs, and configuration data. It also supports optional command line execution arguments, uses JSON-formatted configuration files to specify target IP addresses and Modbus commands, and logs output to a console or a JSON file.

The attack on the municipal district energy company led to a loss of heating services for over 600 apartment buildings for nearly 48 hours.

“The adversaries sent Modbus commands to ENCO controllers, causing inaccurate measurements and system malfunctions,” the researchers said during a conference call. They noted that initial access was likely gained by exploiting an unknown vulnerability in a publicly-accessible Mikrotik router in April 2023.

While FrostyGoop heavily uses the Modbus protocol for client/server communications, it’s not the only malware to do so.

FrostyGoop is the ninth ICS-focused malware discovered in the wild, following Stuxnet, Havex, Industroyer (CrashOverride), Triton (Trisis), BlackEnergy2, Industroyer2, and COSMICENERGY.

The ability of this malware to read or modify data on ICS devices using Modbus poses severe risks to industrial operations and public safety. Researcher highlighted that over 46,000 internet-exposed ICS appliances communicate using this widely-used protocol.

“The specific targeting of ICS using Modbus TCP over port 502 and the potential to interact directly with various ICS devices pose a serious threat to critical infrastructure across multiple sectors,” the researchers emphasized.

“Organizations must prioritize the implementation of comprehensive cybersecurity frameworks to safeguard critical infrastructure from similar threats in the future.”

To protect against threats like FrostyGoop, organizations must implement robust cybersecurity measures. This includes regularly updating software and firmware, conducting comprehensive security audits, and deploying network monitoring tools to detect unusual activities.

It’s also crucial to segment OT networks from IT networks and restrict access to critical systems. Employing advanced threat detection systems and having an incident response plan in place ensures rapid action if an attack occurs.