Hackers cut heat to 600 buildings in the peak of winter


Researchers claim that Russian-linked malware allowed attackers to turn off the heating in hundreds of apartment buildings in the Ukrainian city of Lviv, leaving residents in freezing temperatures for two days in mid-January.

A new type of malware, dubbed FrostyGoop, targeted a district energy company in Lviv, a Denver-sized city in western Ukraine, forcing heating system controllers to malfunction, researchers at cybersecurity company Dragos discovered.

“At the time of the attack, this facility fed over 600 apartment buildings in the Lviv metropolitan area, supplying customers with central heating. Remediation of the incident took almost two days, during which time the civilian population had to endure sub-zero temperatures,” researchers said.

ADVERTISEMENT

Historical weather data indicates that during the heating disruption, which occurred between January 22 and January 23 of 2024, temperatures in Lviv were as low as -2°C (28°F).

While FrostyGoop was first discovered in April, Dragos and Ukrainian authorities revealed that it was also used in the January attack. Malicious actors meticulously prepared to hit the energy company for months, first accessing the victim’s network nearly a whole year before the attack took place.

According to Dragos, the attackers accessed the victim network on April 17th, 2023, after exploiting a flaw in an externally facing Mikrotik router. Three days later, they deployed a web shell tunnel. Then, on two occasions in late November and early December, attackers retrieved user credentials for further access.

While researchers don’t name any adversary or hacking group behind the attack, they note that on the day of the actual attack, “adversaries initiated L2TP (Layer Two Tunnelling Protocol) connections to Moscow-based IP addresses.”

What‘s truly novel about the attacks is that the adversaries employed Modbus communications to attack operational technology (OT). As we‘ve written on Cybernews before, Modbus is a communications protocol used to connect IT with OT.

The protocol has been around for a long time, having been developed by Modicon in 1979. Although the Modbus Organization has managed Modbus protocols since 2004, it is, by all accounts, a very insecure protocol, as it offers no encryption.

“FrostyGoop’s capabilities to interact with ICS devices via Modbus TCP and its undetected status by antivirus vendors highlight the critical need for robust OT cybersecurity measures. The cyberattack on the municipal district energy company in Lviv, Ukraine, is a stark reminder of the potential real-world impacts of such vulnerabilities,” researchers explained.

ADVERTISEMENT