July 23, 2024 at 01:36PM
The FrostyGoop malware, linked to Russian threat groups, was used in a cyberattack in January 2024 to disrupt the heating in over 600 apartment buildings in Lviv, Ukraine. The attackers breached the network a year earlier and exploited vulnerabilities in industrial control systems. Organizations are advised to implement specific cybersecurity measures to counter such threats.
Key takeaways from the meeting notes are as follows:
1. Russian-linked malware called FrostyGoop was used in a cyberattack on a municipal district energy company in Lviv, Ukraine in January 2024, cutting off heating to over 600 apartment buildings during sub-zero temperatures.
2. FrostyGoop is designed to target industrial control systems (ICS) using the Modbus TCP communications protocol, and it was discovered by cybersecurity company Dragos.
3. The attackers may have entered the victim’s network almost a year earlier, exploiting vulnerabilities in an Internet-exposed Mikrotik router and deploying a webshell for maintaining access.
4. The attackers used Moscow-based IP addresses to access the district energy company’s network assets on the day of the attack.
5. The compromised network, including the MikroTik router and district’s heating system controllers, was not correctly segmented, allowing the attackers to exploit hardcoded network routes and take control of the heating system controllers.
6. The attackers downgraded the firmware of the heating system controllers to versions lacking monitoring capabilities to evade detection.
7. Dragos warned that the FrostyGoop malware, due to its use of the Modbus protocol, has the potential to disrupt various industrial sectors.
8. The company advises industrial organizations to implement the SANS 5 Critical Controls for World-Class OT Cybersecurity, including ICS incident response, defensible architecture, ICS network visibility and monitoring, secure remote access, and risk-based vulnerability management.
These clear takeaways provide a comprehensive understanding of the cyberattack and the recommendations for improving industrial cybersecurity.