FrostyGoop malware shut off heat to 600 Ukraine apartment buildings A previously unseen malware, dubbed FrostyGoop, able to disrupt industrial processes was used in a cyberattack against a district energy company in Ukraine last northern winter, resulting in two days without heat for hundreds of people during sub-zero temperatures. The attack, which began late in January 2024, targeted …
a. Have they tried not connecting their industrial processes directly to the Internet?
b. Couldn't someone go down into the basement and manually start the boilers.
c. Why do so many Dragos employees have backgrounds in intelligence?
--
“Magpie” Graham .. hey New Age dude(ss)
Modbus was never designed to work on the public internet. You'd find in in an industrial setting where to get at the network you'd have to physically break into an area or building or alternatively its supported as a way to communicate between a PLC and our swimming pool pump motor. Putting it on TCP saves a bit of wiring but you'd never want to expose this to the public net without tunneling it through a secure tunnel.
In this case I'd guess that the sensors and valves are connected using the Modbus protocol but the attack was against the PLC.
Incidentally, the data might not be encrypted but without knowing the register numbers you're just fishing in the dark. In that sense its just like every other industrial protocol (e.g. CAN) -- you've got to know the key to open the lock, as it were.
If the devices were "connected directly to the internet", the malware would not have needed to create a L2TP tunnel into the network, nor the 'hard coded routing' of that network.
Taken as a whole, the report doesn't seem to be as clear as individual parts of it seem to be.
"Couldn't someone go down into the basement and manually start the boilers."
In short "No, because there ARE no boilers in the basement"
Ukraine, Russia and other cold climate countries frequently use district heating schemes - either dedicated, or utilising waste heat from a power plant to provide piped hot water to entire neighbourhoods - this keeps coal smoke (or other nasties) out of residential areas and is overall vastly more efficient/safer than individual systems
When Battersea power station was operational in London, it heated most of Plimlico - the district heating system there is still in use but gas-fired these days (https://en.wikipedia.org/wiki/Pimlico_District_Heating_Undertaking)
It sounds to me like the exploit was the Microtik router that then allowed the attackers to gain access to the network being used to carry the modbus traffic.
They then mearly _used_ the modbus protocol to send fake data, but modbus was not exploited as such and there were no new vulnerbalities in it. Modbus is an insecure protocol that relies on the security of the underlying network for protection, as such it worked exactly as designed,
This was a failure of the network and or the architecture of the system
So would this class it as a zero day exploit?
Aren't those meant to be a)Difficult to find or b)Expensive to buy on the dark web?
The rest of sounds like the usual f**king up an industrial control system,
Or have I missed something?
Otherwise it's a JSON based script driven network driver.
Kind of a cool tool, apart from its function.
Gotta remember the Modbus spec was designed as an industrial control system. Device gets command, device responds to command. Security was simply not a consideration for the problems that Modbus was trying to address.
The moment you mix that kind of device into other networks for other purposes it is screaming for trouble. But it is what has happened extensively.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
