Simple \u2018FrostyGoop\u2019 malware responsible for turning off Ukrainians\u2019 heat in January attack | CyberScoop<\/title> <meta name=\"description\" content=\"The attack is the latest in a string targeting Ukrainian critical infrastructure and illustrates the growing ease of targeting industrial systems.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/frostygoop-ics-malware-dragos-ukraine\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Simple \u2018FrostyGoop\u2019 malware responsible for turning off Ukrainians\u2019 heat in January attack\"> <meta property=\"og:description\" content=\"The attack is the latest in a string targeting Ukrainian critical infrastructure and illustrates the growing ease of targeting industrial systems.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/frostygoop-ics-malware-dragos-ukraine\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-07-23T09:00:00+00:00\"> <meta property=\"article:modified_time\" content=\"2024-07-22T23:32:54+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/07\/simple-frostygoop-malware-responsible-for-turning-off-ukrainians-heat-in-january-attack-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1280\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Christian Vasquez\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@chrismvasq\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1721147539g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1721117550g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1721183474g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=ada0ad45b21fc79c6694\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/81110\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.6\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=81110\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Ffrostygoop-ics-malware-dragos-ukraine%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Ffrostygoop-ics-malware-dragos-ukraine%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-81110 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/frostygoop-ics-malware-dragos-ukraine\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.937894736842\">\n<div class=\"single-article__header-content\" readability=\"29.813793103448\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/geopolitics\/\"> <span>Geopolitics<\/span> <\/a> <\/li>\n<\/ul>\n<p> The attack is the latest in a string targeting Ukrainian critical infrastructure and illustrates the growing ease of targeting industrial systems. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/07\/simple-frostygoop-malware-responsible-for-turning-off-ukrainians-heat-in-january-attack.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/07\/simple-frostygoop-malware-responsible-for-turning-off-ukrainians-heat-in-january-attack-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/07\/simple-frostygoop-malware-responsible-for-turning-off-ukrainians-heat-in-january-attack-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/07\/simple-frostygoop-malware-responsible-for-turning-off-ukrainians-heat-in-january-attack-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/07\/simple-frostygoop-malware-responsible-for-turning-off-ukrainians-heat-in-january-attack-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/07\/simple-frostygoop-malware-responsible-for-turning-off-ukrainians-heat-in-january-attack-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/07\/simple-frostygoop-malware-responsible-for-turning-off-ukrainians-heat-in-january-attack-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/07\/simple-frostygoop-malware-responsible-for-turning-off-ukrainians-heat-in-january-attack-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/07\/simple-frostygoop-malware-responsible-for-turning-off-ukrainians-heat-in-january-attack-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/07\/simple-frostygoop-malware-responsible-for-turning-off-ukrainians-heat-in-january-attack-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/07\/simple-frostygoop-malware-responsible-for-turning-off-ukrainians-heat-in-january-attack-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> A view of the monument to the first Ukrainian printer Ivan Fedorov during snowfall on November 28, 2023 in Lviv, Ukraine. (Photo by Les Kasyanov\/Global Images Ukraine via Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"40.630758327427\"><body readability=\"82.180891719745\"><\/p>\n<p>Malware targeting the widely-used Modbus industrial communication protocol was responsible for more than 600 apartment buildings in Ukraine losing heat for two days in January, according to a <a href=\"https:\/\/hub.dragos.com\/report\/frostygoop-ics-malware-impacting-operational-technology\">new report by<\/a> cybersecurity firm Dragos. <\/p>\n<p>The malware, which Dragos has named FrostyGoop, uses Modbus to allow attackers to further attack industrial-controlled systems (ICS). Dragos said it was able to determine FrostyGoop was responsible for the outage when The Cyber Security Situation Center (CSSC), a part of the Security Service of Ukraine, shared information related to an attack targeting a municipal energy company in Lviv.<\/p>\n<p>Dragos says FrostyGoop is the first ICS-focused malware that uses the Modbus protocol to cause a physical disruption to operational technology (OT).<\/p>\n<p>It\u2019s not clear who created the malware. Dragos did not attribute FrostyGoop to a particular threat actor. The malware was written using Go and other open-source software libraries. The creators of the malware are now being tracked by Dragos as TAT2024-24. The company considers FrostyGoop to be the ninth unique piece of ICS-focused malware used in disruptions or attacks. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> While it\u2019s not particularly sophisticated, experts warn FrostyGoop reveals that attackers continue to focus on once obscure systems and protocols, including those that keep critical infrastructure like electricity and water working. <\/p>\n<p>The attackers are believed to have initially compromised the municipal energy provider\u2019s networks 10 months before the attack, via a vulnerability in a Microtik router. The attackers then spent the remainder of the year conducting various tasks to set up the attack, including obtaining user credentials for the energy system. It was also discovered that hours before the incident attackers were connecting to the energy system\u2019s network from Moscow-based IP addresses. <\/p>\n<p>The attack was launched as Ukraine dealt with <a href=\"https:\/\/www.cnn.com\/2024\/01\/25\/europe\/ukraine-energy-firm-postal-service-cyberattack-intl\/index.html\">a large-scale cyberattack in January<\/a> that caused issues at the country\u2019s largest oil and gas company and its national post service, among other entities. <\/p>\n<p>\u201cI think it\u2019s very much a psychological effort here, facilitated through cyber means when kinetic perhaps wasn\u2019t here the best choice,\u201d said Mark Graham, technical director and principal adversary hunter at Dragos.<\/p>\n<p>The Security Service of Ukraine did not respond to requests for comment.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The only other hacking unit known to have such an impact on Ukraine\u2019s critical infrastructure is Sandworm, which is run by Russia\u2019s Main Intelligence Directorate military unit. Sandworm has been notorious for taking down Ukraine\u2019s grid multiple times, including most recently in October 2022 when it <a href=\"https:\/\/cyberscoop.com\/sandworm-russia-ukraine-grid\/\">hacked into an electrical substation<\/a>..<\/p>\n<p>It\u2019s not often that malware targeting sensitive industrial control networks is discovered. One of the most recent was Pipedream, which experts feared could be the ICS equivalent of Cobalt Strike, a legitimate threat emulation tool that has been co-opted by malicious attackers. <\/p>\n<p>While Pipedream is an incredibly sophisticated tool set, FrostyGoop is a bit different.<\/p>\n<p>\u201cIt is a simple tool,\u201d Graham said.<\/p>\n<p>Yet even with the tool rooted in simplicity, that does not mean it\u2019s any less dangerous. Graham warned that it\u2019s getting easier for low-cost attacks to impact industrial systems, regardless if they are carried out by state-backed hackers and financially motivated cybercriminals.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cYou might not have all of your best malware deployed, but you want to know that at the drop of a hat if you need to operate, you\u2019ve got a way in and you\u2019ve got the capability to do it on a shelf somewhere,\u201d Graham said. \u201cA number of adversaries are now realizing that they also want that capability, just like we\u2019ve seen a number of countries that didn\u2019t necessarily invest in their own malware development, but are customers of those private sector actors.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.6547231270358\">\n<div class=\"author-card\" readability=\"9\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/07\/simple-frostygoop-malware-responsible-for-turning-off-ukrainians-heat-in-january-attack-1.jpg?w=640&ssl=1\" alt=\"Christian Vasquez\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Christian Vasquez<\/h4>\n<p> Christian covers industrial cybersecurity for CyberScoop News. He previously wrote for E&E News at POLITICO covering cybersecurity in the energy sector. Reach out: christian.vasquez at cyberscoop dot com <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/frostygoop-ics-malware-dragos-ukraine\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Simple \u2018FrostyGoop\u2019 malware responsible for turning off Ukrainians\u2019 heat in<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[413,1658,302,873,256,270,880,288,354],"tags":[415,1659,306,875,262,276,881,294,358],"class_list":["post-4597","post","type-post","status-publish","format-standard","hentry","category-critical-infrastructure","category-dragos","category-geopolitics","category-ics","category-research","category-russia","category-sandworm","category-threats","category-ukraine","tag-critical-infrastructure","tag-dragos","tag-geopolitics","tag-ics","tag-research","tag-russia","tag-sandworm","tag-threats","tag-ukraine"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/critical-infrastructure\/\" rel=\"category tag\">critical infrastructure<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/dragos\/\" rel=\"category tag\">Dragos<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/geopolitics\/\" rel=\"category tag\">Geopolitics<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ics\/\" rel=\"category tag\">ics<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/russia\/\" rel=\"category tag\">Russia<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/sandworm\/\" rel=\"category tag\">Sandworm<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ukraine\/\" rel=\"category tag\">Ukraine<\/a>","tag_info":"Ukraine","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4597","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=4597"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4597\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=4597"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=4597"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=4597"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":4597,"date":"2024-07-23T04:00:00","date_gmt":"2024-07-23T09:00:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=81110"},"modified":"2024-07-23T04:00:00","modified_gmt":"2024-07-23T09:00:00","slug":"simple-frostygoop-malware-responsible-for-turning-off-ukrainians-heat-in-january-attack","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/07\/23\/simple-frostygoop-malware-responsible-for-turning-off-ukrainians-heat-in-january-attack\/","title":{"rendered":"Simple \u2018FrostyGoop\u2019 malware responsible for turning off Ukrainians\u2019 heat in January attack"},"content":{"rendered":"