Table of Contents

FrostyGoop: New ICS Malware Targeting Critical Infrastructure

Copy Text
FrostyGoop New ICS Malware

A new malware variant, “FrostyGoop“, was detected in April attacking an energy company in Lviv, Ukraine, targeting operational technology via Modbus TCP communications. As a result of the incident, customers were plunged into a two-day loss of heating.

Urgent Need to Enhance Security for ICS

In a recent blog post, Dragos industrial control researchers called on security teams across the globe to improve industrial control system network visibility and to monitor and segment Modbus traffic. As it is the case with devices using the Modbus protocol worldwide, researchers highlighted the importance of detecting and flagging deviations from normal behavior and identification of attack patterns that exploit the Modbus protocol.

Technical Insights on Modbus

According to the Dragos researchers, Modbus is a client-server communication protocol developed for Modicon Programmable Logic Controllers (PLCs) back in 1979. Today, it’s widely used in many other ICS/OT devices. Modbus runs as an open protocol and is agnostic to hardware; thus, its popularity is very high for communications among PLCs, distributed control systems, controllers, sensors, actuators, field devices, and interfaces.

Expert Opinions on Modbus Vulnerabilities

John Gallagher, the vice president of Viakoo Labs, explained that Modbus is the most widely used protocol in industrial manufacturing, sitting at the intersection of analog and digital, making it perfect for attacking ICS systems. Threat actors can depend on port 502 being open that enables attackers to use TCP/IP messages to begin an attack. A cursory search of Shodan.io for Modbus already returned 90 exposed devices within the United States alone.

Gallagher indicated that the exploit had been enabled by an Internet-exposed port, something quite uncommon in most Modbus deployments. He said it was also surprising that FrostyGoop would be the very first malware strain to directly make use of Modbus TCP/IP communications— warning it won’t be the last. There has to be some frostygoop malware analysis done.

Ready to kick start your new project? Get a free quote today.

Read More- Cybersecurity: Protecting Against Emerging Threats

He also mentioned that he was surprised by the fact that the targeted systems were not segmented at all, stating that a large number of organizations usually have ICS systems on segmented networks that prevent lateral movement. He called on organizations to ensure that they effectively segment their networks and avoid exposing ICS ports to the internet.

Broader Implications and Historical Context

Morgan Wright, chief security adviser at SentinelOne, commented: This malware really focuses on one of the most important critical infrastructure sectors: power. He said adversaries, like Russia, could take down a nation’s power and water—the very foundation—to its knees, just like they did with Ukraine some time ago.

Wright compared the target of OT systems by FrostyGoop with earlier attacks, such as Iran-linked CyberAv3ngers’ attacks on Israeli Unitronic PLCs used at water and wastewater plants, or the BlackEnergy attack that knocked out power to more than 750,000 homes in Ukraine.

Challenges and Recommendations for ICS Security

According to Josh Salmanson, senior vice president of technology solutions at Telos Corporation, these kinds of issues are few, and for many years now, there have been proof-of-concept exploits. Salmanson said that independent protection of the ICS and enterprise environments by the organizations affected might make it quite hard to detect Modbus protocols on non-OT networks.

Salmanson brought home the point that the appearance of OT protocols, such as Modbus, on an enterprise network should be treated as a priority-one, immediate issue. His recommendation was to isolate these protocols onto non-internet routable subnets/VLANs so that adversaries will not have the capability to encrypt traffic and cover their tracks.

Collaborative Approach to Defending Critical Infrastructure

For Terrence Driscoll, Chief Information Security Officer at Cyware, it would be collaboration in security that would key into the defense of critical infrastructures. He pleaded for collaboration by security teams with critical business functions and deeper automation in order to better understand threats or frostygoop malware detection and execute resolute action to obviate their impact. Driscoll also referred to robust, real-time information sharing among trusted stakeholders as working to fortify defenses and minimizing the overall impact emanating from malicious activities against essential services.

Final Words

The discovery of FrostyGoop has increased the need to improve security over ICS. Improved network visibility combined with Modbus traffic monitoring can help ensure appropriate segmentation is in place to limit the attack surface of critical infrastructure from similar threats in the future.

Read More- Google launches Gemini-powered Cybersecurity AI Tools

Ready to kick start your new project? Get a free quote today.

Recent Blog Posts

Top Healthcare IT Trends to Watch in 2025

Top Healthcare IT Trends to Watch in 2025

Due to the sustained lack of human resources for health and increasing clientele pressure, healthcare facilities globally are being forced to reassess models of delivery.

Elevate your business with our custom-built IT solutions.

Partner with us to drive growth, efficiency, and innovation with our IT expertise.