FrostyGoop the New Addition to ICS Specific Malware

Executive Summary

The Stuxnet attack in 2010 is the first known instance of specialized industrial control system (ICS) malware being used to cripple industry within a major nation state. Fourteen years later we now have nine different known ICS specific malware successfully causing disruption in critical processes. The newest edition to ICS specific malware goes by the name of FrostyGoop utilizing Modbus TCP, a communication protocol widely used across a variety of different ICSs. Given the widespread use of the Modbus TCP protocol across several industrial control sectors and FrostyGoop’s ability to read and write data to ICS registers the capacity for harm is great and is a serious threat to the future of critical systems.

Background

FrostyGoop was discovered in April of 2024 by Dragos, an industry leader in industrial cybersecurity. With information provided by the Cyber Security Situation Center (CSSC), part of the Security Service of Ukraine, Dragos was able to identify a FrostyGoop configuration file attributing one known successful attack to the malware. A Ukrainian energy company was targeted in the attack, and the malware disrupted power for heating to over 600 buildings in sub-zero temperatures. The malware had infiltrated the network through an unsecure router which coupled with improper segmentation of network devices allowed the attackers to send commands to ENCO controllers causing inaccurate measurement and malfunctions. According to ECOPOWER (n.d.), the manufacturer of ENCO controllers, ENCO controllers are universal programmable controllers designed for the control of district heating substation modules or boiler plant processes and are responsible for the logging and remote modification of parameters, as well as the transfer of data and retrieving of metering device readings.

Best Practices

To prevent ICS attacks like this one Dragos recommends implementing “…the SANS 5 Critical Controls for World-Class OT. These include ICS incident response, defensible architecture, ICS network visibility and monitoring, secure remote access, and risk-based vulnerability management.” (Ahlers. 2024). ICS incident response involves creating step by step plans to respond to a variety of incidents and often includes activating an incident response team. The plan must include specific protocols and procedures for detection, reaction, and recovery. Defensible architecture refers to reducing the attack surface as much as possible and segmenting systems within the network to minimize damage when an incident occurs. ICS network visibility and monitoring requires organizations to actively monitor their networks, detecting any threats and abnormal activity as accurately and quickly as possible. Secure remote access requires the implementation of controls to monitor and secure access to ICSs utilizing tools like multi-factor authentication and encrypted communication. Risk-based vulnerability management is the assessment and mitigation of vulnerabilities within an organization while prioritizing the most critical vulnerabilities first. These five controls together provide a strong defense against any would-be attackers and are critical to ensuring the safety and security of ICSs.

Significance

The potential for harm when it comes to ICSs is immense, potentially causing major disruptions in critical infrastructure and sometimes even physical damage. FrostyGoop is particularly dangerous as it can be used to impact a variety of systems used across the world if the systems utilize Modbus TCP. This level of compatibility is extremely dangerous and has the potential to impact both new and legacy systems. The threat to ICSs is ever growing and we are sure to see more attacks using new ICS specific malware, each more dangerous than the last.

References

Ahlers, C., Graham, M., O’Meara, K. (2024). Impact of FrostyGoop ICS Malware on Connected OT Systems. Dragos – Intelligence Brief. https://hub.dragos.com/report/frostygoop-ics-malware-impacting-operational-technology

Dragos, Inc. (2024.) The SANS ICS Five Critical Controls: A Practical Framework for OT Cybersecurity. Dragos. https://www.dragos.com/blog/the-sans-ics-five-critical-controls-a-practical-framework-for-ot-cybersecurity/

ECOPOWER. (n.d.). ENCO Control. ECOPOWER Engineering Services. https://ecopower-eu.com/en/enco-control/#:~:text=Universal%20programmable%20controller%20is%20designed,transfer%20into%20MS%20information%20system.

Parsons, D. (2024.) What’s the Scoop on FrostyGoop: The Latest ICS Malware and ICS Controls Considerations. SANS. https://www.sans.org/blog/whats-the-scoop-on-frostygoop-the-latest-ics-malware-and-ics-controls-considerations/