FrostyGoop

Keypoints:

Possible access to the network: April 2023

Exploitation: January 22-23, 2024

Exploitation IP(s): Moscow Russia

Reporter: CTO Dragos, Phil Tonking

Category: Malware

Victim: City of Lviv, Ukraine

Impact: Loss of heating, people suffering sub-zero temperatures

Time to resolution: 2 Days

Loss: 600 homes without heating

Entrypoint: Possibility of exploiting a vulnerability in an internet-exposed Mikrotik router; router possibly not adequately segmented along with other servers and controllers, including one made by ENCO, a Chinese company

Case study:

A type of heating system controller, using ICS (Industrial Control devices) over Modbus, a decades-old protocol widely used by ~46,000 Internet-exposed ICS devices, started reporting inaccurate measurements (the intruders did not destroy the controllers themselves), resulting in incorrect operation of the system.