This post is provided for awareness with most of the content pulled directly from the reporting sources.
Executive Summary: FrostyGoop’s ability to communicate with ICS devices via Modbus TCP threatens critical infrastructure across multiple sectors. This appears to be another living-off-the-land method using native functionality to do bad things. According to Dale Peterson’s poignant point, “this is not attack code. It is a Modbus client sending legitimate, properly formed commands to a Modbus server. The longstanding widely used Modbus TCP protocol lacks authentication. There is no bug that is being exploited. It’s working exactly as designed.” While Dale doesn’t disagree with current mitigation recommendations, he implores the community to move the ball forward to implementing secure control protocols (albeit not expected to happen overnight), “It’s missing the remediation that addresses the core problem: the ICS control protocol is unauthenticated. There’s a solution: Modbus/TCP Security. Where is the recommendation to upgrade to Modbus/TCP Secure or another secure control protocol? We now have CIP Secure, OPC UA, BACnet Secure and other authenticated protocols.”
Below content taken directly from Dragos’ report.
According to a recent Dragos Intelligence Brief, FrostyGoop is the ninth industrial control systems (ICS) specific malware. It is the first ICS-specific malware that uses Modbus TCP communications to achieve an impact on Operational Technology (OT). PIPEDREAM, an ICS malware discovered in 2022, uses Modbus communications in one of its components for enumeration.
Members are encouraged to review the entire report, but for your convenience, Dragos’ key findings are copied here (with emphasis):
- FrostyGoop is the ninth industrial control system (ICS) specific malware. It is the first ICS-specific malware that uses Modbus communications to achieve an impact on operational technology (OT).
- In April 2024, Dragos discovered multiple FrostyGoop binaries. FrostyGoop is ICS-specific malware written in Golang that directly interacts with industrial control systems (ICS) using Modbus TCP over port 502. It is compiled for Windows systems, and at the time of the discovery, antivirus vendors did not detect it as malicious.
- FrostyGoop can read and write to an ICS device holding registers containing inputs, outputs, and configuration data. It accepts optional command line execution arguments, uses separate configuration files to specify target IP addresses and Modbus commands, and logs output to a console and/or a JSON file.
- The Cyber Security Situation Center (CSSC), a part of the Security Service of Ukraine (Cyx6a 6e3neku YkpaïHn), shared details with Dragos relating to a cyber attack that targeted a municipal district energy company in Lviv, Ukraine. During sub-zero temperatures, the attack disrupted the power supply to heating services to over 600 apartment buildings. The adversaries sent Modbus commands to ENCO controllers, causing inaccurate measurements and system malfunctions. Remediation took almost two days.
- The investigation revealed that the adversaries possibly gained access to the victim network through an undetermined vulnerability in an externally facing Mikrotik router. The network assets, including the Mikrotik router, four management servers, and district heating system controllers, were not adequately segmented, facilitating the attack.
- FrostyGoop's ability to communicate with ICS devices via Modbus TCP threatens critical infrastructure across multiple sectors. Given the ubiquity of the Modbus protocol in industrial environments, this malware can potentially cause disruptions across all industrial sectors by interacting with legacy and modern systems. The Lviv, Ukraine, incident highlights the need for adequate security controls, including OT-native monitoring. Antivirus vendors' lack of detection underscores the urgency of implementing continuous OT network security monitoring with ICS protocol-aware analytics to inform operations of potential risks.
- Dragos recommends that organizations implement the SANS 5 Critical Controls for World-Class OT Cybersecurity. These include ICS incident response, defensible architecture, ICS network visibility and monitoring, secure remote access, and risk-based vulnerability management.
Resources
