Impact of FrostyGoop ICS Malware on Connected OT Systems

FrostyGoop is the ninth industrial control systems (ICS) specific malware. It is the first ICS-specific malware that uses Modbus TCP communications to achieve an impact on Operational Technology (OT). PIPEDREAM, an ICS malware discovered in 2022, uses Modbus communications in one of its components for enumeration.

Dragos discovered FrostyGoop in April 2024. It can interact directly with ICS using Modbus, a standard ICS protocol across all industrial sectors and organizations worldwide. Additionally, the Cyber Security Situation Center (CSSC), a part of the Security Service of Ukraine (Служба безпеки України), shared details with Dragos about a disruptive cyber attack on a district energy company in Lviv, Ukraine, which resulted in a two-day loss of heating to customers. Dragos assesses that FrostyGoop was used in this attack. An associated FrostyGoop configuration file contained the IP address of an ENCO control device, leading Dragos to assess with moderate confidence that FrostyGoop was used to target ENCO controllers with TCP port 502 open to the internet.

Given the widespread use of Modbus devices globally, the broad applicability of this threat underscores the urgent need for ICS network visibility and monitoring of Modbus traffic. Detecting and flagging deviations from normal behavior and identifying attack patterns and behaviors that exploit the Modbus protocol is crucial. This necessitates the development of detections from the latest threat intelligence on vulnerabilities, attack vectors, and malware targeting Modbus systems.