Intelligence Brief: Impact of FrostyGoop Modbus Malware on Connected OT Systems

In April 2024, FrostyGoop, an ICS malware, was discovered in a publicly available malware scanning repository. FrostyGoop can target devices communicating over Modbus TCP to manipulate control, modify parameters, and send unauthorized command messages. Modbus is a commonly used protocol across all industrial sectors. 

The Cyber Security Situation Center (CSSC), a part of the Security Service of Ukraine, shared details with Dragos about a cyber attack that impacted a municipal district energy company in Lviv, Ukraine, in January 2024. At the time of the attack, this facility fed over 600 apartment buildings in the Lviv metropolitan area, supplying customers with central heating. Remediation of the incident took almost two days, during which time the civilian population had to endure sub-zero temperatures. Dragos assessed that FrostyGoop and internet-exposed ICS devices facilitated this attack. 

This brief provides a strategic summary of information on this OT threat and attack as reported in Dragos WorldView threat intelligence, with clear guidance for OT asset owners and operators.