Elementrica
03Case Studies04References05Company06News07Contact
PLENDE

FrostyGoop and the cyber cold war: how malware cut off critical infrastructure in Lviv

ElementricaElementrica7 min
FrostyGoop and the cyber cold war: how malware cut off critical infrastructure in Lviv

In January 2024, a cyberattack left almost 600 buildings in Lviv without heat for 48 hours, with the temperature near freezing. The cause was malware that Dragos named FrostyGoop, built to hit industrial equipment through the Modbus protocol. It is one of the few publicly confirmed cases where a cyberattack struck directly at residents' comfort and safety. Here is how it happened and what it means if you own the infrastructure.

What happened in Lviv

Dragos, a firm that specializes in industrial systems security (ICS and OT), analyzed the incident and identified the malware behind the attack, naming it FrostyGoop. The attacker did not reach for a sophisticated exploit. They used Modbus, an ordinary industrial protocol.

This was not a data leak or a locked inbox. It was a physical result of a cyberattack: cold apartments in the middle of winter. That is exactly what separates an attack on OT from a typical IT incident.

Modbus, a protocol with no authentication

Modbus is one of the most common communication protocols in industry, designed in 1979. Despite its age it is still everywhere, because it is simple and rarely fails. Devices from practically every major automation vendor support it.

VendorExample product with Modbus TCP/IP
ABBModbus TCP/IP fieldbus adapters for drives
SiemensPLC controllers with Modbus TCP/IP support
Mitsubishi ElectricModbus TCP/IP interface module
Schneider ElectricModbus TCP/IP communication for devices
Rockwell AutomationModbus TCP communication with Logix controllers

The catch is that Modbus predates the moment network security became a topic. Its TCP/IP version has no authentication and no authorization. To send a command to a device, you only need its IP address, a port (usually 502), and the device identifier.

How FrostyGoop works

FrostyGoop is a Windows program written in Go that uses publicly available Modbus libraries. It behaves like an ordinary Modbus TCP/IP client: it can read and overwrite device registers.

That is where its power lies. Registers hold the parameters that control how industrial equipment runs. By writing wrong values into them, an attacker changes how the hardware actually behaves. Worse, FrostyGoop traffic looks like legitimate Modbus communication, so it is hard to tell apart from normal system activity.

According to Dragos, the attackers most likely got into the victim's network through a flaw in a router, then sent malicious commands straight to the ENCO heating system controllers. They also remotely downgraded the devices, so the readings turned inaccurate and operators lost visibility into what was happening.

How dangerous this kind of attack is

The biggest risk lies with Modbus TCP/IP devices exposed straight to the internet. Since the protocol asks for no authentication, anyone who reaches them can try to change register values.

The scale is real. Dragos estimated that of roughly 640,000 devices with port 502 open on the internet, about 46,000 may be vulnerable. The second tier of risk is devices on internal networks: once an attacker is inside, they become an easy target.

How to protect Modbus and OT devices

One rule matters most: industrial devices should not be directly reachable from the internet. Beyond that, add further layers of protection, mapped to the mitigations in MITRE ATT&CK for ICS.

MeasureWhat it does
Network segmentationIsolate Modbus devices from the rest of the network, and especially from the internet, to limit how far an attack can spread.
Access control and firewallsRestrict communication with the devices to trusted IP addresses only.
Continuous monitoringDetect unusual activity on the industrial network with IDS/IPS tuned for OT.
Traffic encryptionModbus does not encrypt data, but the traffic can be tunneled through a VPN.
Regular audits and testingSecurity audits and vulnerability assessments of ICS/OT environments, to find the weak points before an attacker does.

What FrostyGoop teaches

FrostyGoop showed that an attack on OT is not theory. A simple protocol without authentication, a device exposed to the network, and a router flaw were enough to cut heat to hundreds of buildings.

For anyone who owns critical infrastructure, the takeaway is practical: OT security is not an add-on to IT, it is a condition for staying operational and keeping people safe.

Want to check whether your industrial devices are exposed and open to an attack like this? Book a free consultation. We will map the attack surface of your OT environment and tell you what to secure first.

Are your OT devices exposed to the network?

Book a free consultation and we will check whether your industrial infrastructure is open to an attack like FrostyGoop.

Previous
A short introduction to ICS and OT security