FrostyGoop is the ninth ICS-specific malware discovered to date. Its ability to communicate via Modbus TCP over the standardized port 502, which is used in many industrial systems, makes it particularly dangerous. FrostyGoop can also read and write to the so-called "holding registers". The holding registers contain important input, output and configuration data.

The malware was written in the Golang programming language and is compiled for Windows systems. Upon discovery, it was found that none of the common antivirus programs could identify the malware as malicious, making it considerably more difficult for conventional IT cybersecurity programs to detect and combat.

Broader impacts and recommendations

The effects of FrostyGoop were already evident in January 2024 in Lviv, Ukraine, when a cyberattack paralyzed a municipal energy company. This attack disabled the heating systems of hundreds of residential buildings. The attack lasted almost two days before it was fully resolved. According to Dragos, an investigation revealed that the attackers may have gained access to the victims' network through a vulnerability in a publicly available micro-router. After infiltrating the network, they used a web shell to create a tunnel and take control of the system servers and heating system controllers. The attackers manipulated the ENCO controllers by downgrading their firmware to an older version, resulting in incorrect measurements and a malfunctioning heating system.

FrostyGoop has far-reaching consequences for cyber security in the OT sector. As the Modbus protocol is used in many industrial environments, similar attacks could potentially affect all industries. It is therefore important to take measures against this. Network visibility in ICS environments must be increased to detect and report anomalies in Modbus traffic.