Advertisement

Russia-linked hackers cut heat to 600 Ukrainian apartment buildings in the dead of winter, researchers say

Security company Dragos warns that the malware could threaten other industrial systems.

Ukraine’s Office of the President

Cybersecurity company Dragos has flagged malware that can attack industrial control systems (ICS), tricking them into malicious behavior like turning off the heat and hot water in the middle of winter. TechCrunch reports that’s precisely what the malware, dubbed FrostyGoop, did this January in Lviv, Ukraine, when residents in over 600 apartment buildings lost heat for two days amid freezing temperatures.

Dragos says FrostyGoop is only the ninth known malware designed to target industrial controllers. It’s also the first to specifically set its sights on Modbus, a widely deployed communications protocol invented in 1979. Modbus is frequently used in industrial environments like the one in Ukraine that FrostyGoop attacked in January.

Ukraine’s Cyber Security Situation Center (CSSC), the nation’s government agency tasked with digital safety, shared information about the attack with Dragos after discovering the malware in April of this year, months after the attack. The malicious code, written in Golang (The Go programming language designed by Google), directly interacts with industrial control systems over an open internet port (502).

The attackers likely gained access to Lviv’s industrial network in April 2023. Dragos says they did so by “exploiting an undetermined vulnerability in an externally facing Mikrotik router.” They then installed a remote access tool that voided the need to install the malware locally, which helped it avoid detection.

The attackers downgraded the controller firmware to a version lacking monitoring capabilities, helping to cover their tracks. Instead of trying to take down the systems altogether, the hackers caused the controllers to report inaccurate measurements — resulting in the loss of heat in the middle of a deep freeze.

Dragos has a longstanding policy of neutrality in cyberattacks, preferring to focus on education without assigning blame. However, it noted that the adversaries opened secure connections (using layer two tunneling protocol) to Moscow-based IP addresses.

“I think it’s very much a psychological effort here, facilitated through cyber means when kinetic perhaps here wasn’t the best choice,” Dragos researcher Mark “Magpie” Graham told TechCrunch. Lviv is in the western part of Ukraine, which would be much more difficult for Russia to hit than eastern cities.

Dragos warns that, given how ubiquitous the Modbus protocol is in industrial environments, FrostyGoop could be used to disrupt similar systems worldwide. The security company recommends continuous monitoring, noting that FrostyGoop evaded virus detection, underscoring the need for network monitoring to flag future threats before they strike. Specifically, Dragos advises ICS operators to use the SANS 5 Critical Controls for World-Class OT Cybersecurity, a security framework for operational environments.