Modbus Vulnerabilities Used for Cyberattack on Heating Utility

Heat and Hot Water Disrupted to over 600 buildings, about 100,000 people, for 48 Hours

A cyberattack occurred on a heating utility (also known as district heating) in the Ukrainian city of Lviv, the largest city in western Ukraine, in January 2024. The malware, named FrostyGoop, is one of the few identified in the field with the intended purpose of causing physical changes instead of being ransomware or stealing data.

As part of the attack, temperature readings in industrial control system were altered using Modbus to trick the system and modify its operation, effectively shutting down heating and hot water service for about 48 hours during the coldest part of the year. After hijacking the control systems, the attackers downgraded the firmware to versions lacking monitoring capabilities to evade detection.

While the hackers used Modbus commands that targeted specific devices, the malware appears to have been hosted on the hackers’ remote computer, not a local computer on the victim’s network. That means other means of protection as opposed to simple antivirus software, will be needed to prevent future attacks with the same method.

In a previous post we showed that there are tens of thousands publicly visible Modbus devices connected to the Internet that could affected by the lack of security for Modbus.

https://www.wired.com/story/russia-ukraine-frostygoop-malware-heating-utility/

https://techcrunch.com/2024/07/23/hackers-shut-down-heating-in-ukrainian-city-with-malware-researchers-say/

https://www.bleepingcomputer.com/news/security/frostygoop-malware-attack-cut-off-heat-in-ukraine-during-winter/

—
Blog Post Summary – All of our recent posts listed on one page