FrostyGoop malware left 600 Ukrainian households without heat this winter

Researchers discovered a new malware variant likely used in an attack this January against an energy company in western Ukraine that left 600 households without heat amid freezing temperatures.

The tool, dubbed FrostyGoop, is one of only a few malware strains ever discovered in the wild that can interact directly with industrial control systems and have a physical effect on the hardware used by targeted enterprises, according to researchers at industrial cybersecurity firm Dragos, which discovered and analyzed it.

Ukraine’s security service (SBU) told Recorded Future News that during the attack the hackers compromised the infrastructure of the Lviv-based energy facility Lvivteploenergo.

“This led to a temporary shutdown of heating and hot water supply for more than 600 households in the city,” the agency’s spokesperson said. “The consequences of the cyberattack were quickly neutralized, and services were restored. The company continued to work as usual.”

According to local media reports at the time, the disruption to Lvivteploenergo affected residents of the Lviv district called Sykhiv, where around 100,000 people live.

FrostyGoop malware

Dragos discovered FrostyGoop in April 2024. The malware is compiled for Windows systems, and hasn’t been detectable by antivirus vendors, researchers said.

The malware targets the popular Modbus protocol used for transmitting data between various devices, typically in industrial automation systems. Researchers said that FrostyGoop is the first malware of its kind that uses Modbus to disrupt systems controlling physical devices.

Modbus is an old protocol that has become an industry standard. However, it is not very secure, Dragos researcher Magpie Graham said during a press briefing.

During the attack on Lviveploenergo, the attackers sent Modbus commands to ENCO controllers designed to control district heating substation modules or boiler plant processes, causing inaccurate measurements and system malfunctions, researchers said.

“Given the ubiquity of the Modbus protocol in industrial environments, this malware can potentially cause disruptions across all industrial sectors by interacting with legacy and modern systems,” researchers said.

Dragos did not attribute FrostyGoop to a particular threat actor but noted that before the incident, attackers were connecting to the energy system’s network from Moscow-based IP addresses.

Russia-linked attacks

Russia has been heavily targeting Ukrainian critical infrastructure with both cyberattacks and missiles. As a result of these attacks, Ukraine’s energy sector has suffered $56 billion in losses, forcing the country to introduce scheduled power outages lasting up to six hours several times a day, leaving people without electricity, internet and often gas and water.

Kremlin-backed hacker groups have previously targeted Ukrainian energy facilities with disruptive cyberattacks, causing even more harm.

Earlier in April, Ukraine’s computer emergency response team (CERT-UA) reported that the Kremlin-controlled hacker group Sandworm had targeted nearly 20 energy facilities in Ukraine that spring, possibly to amplify the impact of intense Russian missile and drone strikes on critical infrastructure.

During the latest attacks on Ukrainian critical infrastructure, the group used a little-known backdoor called Kapeka. CERT-UA also identified new Linux-based variants of Kapeka developed by Sandworm — Loadgrip and Biasboat. They were installed on Ukrainian Linux devices designed to automate technological processes in critical facilities, researchers said.

Ukrainian state officials previously said that Russia is coordinating its missile strikes with cyberattacks, including when targeting energy facilities. Researchers found that Sandworm, in particular, has coordinated the timing of its cyberattacks with conventional military activity, such as kinetic strikes or other forms of sabotage.