FrostyGoop, a newly discovered ICS malware, uses Modbus TCP communication to target industrial control systems (ICS) devices, which can directly read from and write to ICS devices, potentially disrupting critical infrastructure.
It was used in a cyberattack on a Ukrainian district energy company, manipulating ENCO controllers and causing a two-day loss of heating. The widespread use of Modbus TCP across various sectors makes FrostyGoop a significant threat.
The incident highlights the importance of ICS network visibility, Modbus traffic monitoring, and implementing robust security controls like segmentation and ICS intrusion detection systems.
A newly discovered ICS malware written in Golang, can directly target industrial control systems (ICS) using the Modbus TCP protocol, which can read and write to holding registers, which contain critical data for ICS devices.
Although initially believed to be a test program, FrostyGoop was later confirmed to be used in an attack against an ENCO control device, which can potentially impact other devices communicating over Modbus TCP due to its generic functionality.
A malicious program targeting Industrial Control Systems (ICS) utilizes Modbus TCP to manipulate industrial equipment by accepting command line arguments or JSON configuration files specifying target IP addresses, Modbus commands (read/write registers), and logging options.
Configuration files can include specific times for attacks and delays between commands. By exploiting Modbus, a widely used communication protocol in ICS, FrostyGoop can disrupt critical infrastructure systems.
The malware uses Modbus TCP to target industrial control system (ICS) devices, which can read from (function code 3) and write to (function code 6, 16) Modbus registers by targeting devices specified by an IP address or a configuration file.
After a successful connection, it logs communication details, including timestamps, target IPs, function codes, and response times. FrostyGoop was used to compromise an ENCO district heating system by downgrading firmware and manipulating temperature readings.
It targets ICS using Modbus TCP, allowing it to directly communicate with and manipulate industrial control devices, which poses a serious threat to critical infrastructure across sectors due to Modbus’ prevalence in legacy and modern systems.
FrostyGoop’s ability to read and modify data on ICS devices can disrupt operations and endanger public safety. The malware’s exploitation of internet-exposed controllers highlights the need for stricter access control and network segmentation.
According to Dragos, organizations must assess and protect their ICS networks by restricting Modbus device access and conducting thorough network assessments to prevent internet exposure. Industry-wide collaboration and information sharing are crucial to mitigating the broad impact of ICS-specific malware like FrostyGoop.