Hackers shut down heating in Ukrainian city with malware, researchers say

Lorenzo Franceschi-Bicchierai
Updated ·4 min read

For two days in mid-January, some Ukrainians in the city of Lviv had to live without central heating and suffer freezing temperatures because of a cyberattack against a municipal energy company, security researchers and Ukrainian authorities have since concluded.

On Tuesday, the cybersecurity company Dragos published a report with details about a new malware dubbed FrostyGoop, which the company says is designed to target industrial control systems — in this particular case, specifically against a type of heating system controller.

Dragos researchers wrote in their report that they first detected the malware in April. At that point, Dragos did not have more information on FrostyGoop apart from the malware sample, and believed it was only used for testing. Later on, however, Ukrainian authorities warned Dragos that they had found evidence that the malware was actively used in a cyberattack in Lviv during the late evening of January 22 through January 23.

“And that resulted in the loss of heating to over 600 apartment buildings for almost 48 hours,” said Mark "Magpie" Graham, a researcher at Dragos, during a call with reporters briefed on the report prior to its release.

Dragos researchers Graham, Kyle O’Meara, and Carolyn Ahlers wrote in the report that “remediation of the incident took almost two days, during which time the civilian population had to endure sub-zero temperatures.”

This is the third known outage linked to cyberattacks to hit Ukrainians in recent years. While the researchers said the malware was unlikely to cause widespread outages, it shows an increased effort by malicious hackers to target critical infrastructure, like energy grids.

The FrostyGoop malware is designed to interact with industrial control devices (ICS) over Modbus, a decades-old protocol widely used across the world to control devices in industrial environments, meaning FrostyGoop could be used to target other companies and facilities anywhere, according to Dragos.

“There's at least 46,000 Internet exposed ICS devices that allow Modbus today,” Graham told reporters.

Dragos said that FrostyGoop is the ninth ICS-specific malware it has encountered over the years. The most famous of these are Industroyer (also known as CrashOverride), which was used by the infamous Russian-government linked hacking group Sandworm to turn off the lights in Kyiv and later to disconnect electrical substations in Ukraine. Outside of those cyberattacks targeting Ukraine, Dragos has also seen Triton, which was deployed against a Saudi petrochemical plant and against an unknown second facility later on; and the CosmicEnergy malware, which was discovered by Mandiant last year.

Dragos researchers wrote that they believe that the hackers in control of the FrostyGoop malware first gained access to the targeted municipal energy company's network by exploiting a vulnerability in an internet-exposed Mikrotik router. The researchers said the router was not “adequately segmented” along with other servers and controllers, including one made by ENCO, a Chinese company.

Graham said in the call that they found open ENCO controllers in Lithuania, Ukraine, and  Romania, underscoring once again that while FrostyGoop was used in a targeted attack in Lviv this time, the hackers in control could target the malware elsewhere.

ENCO and its employees did not immediately respond to TechCrunch's request for comment.

“The adversaries did not attempt to destroy the controllers. Instead, the adversaries caused the controllers to report inaccurate measurements, resulting in the incorrect operation of the system and the loss of heating to customers,” the researchers wrote.

During the investigation, the researchers said they concluded that the hackers “possibly gained access” to the targeted network in April 2023, almost a year before deploying the malware and turning off the heat. In the following months, the hackers kept accessing the network and on January 22, 2024, connected to through Moscow-based IP addresses, according to the report.

Despite the Russian IP addresses, Dragos didn’t point the finger at any known particular hacking group or government as responsible for this cyber-enabled outage, because the company couldn’t find ties to previous activities or tools, and because of the company's longstanding policy on not attributing cyberattacks, said Graham.

What Graham did say is that he and his colleagues believe this disruptive operation was conducted over the internet — as opposed to launching missiles at the facility — likely as an effort to undermine the morale of Ukrainians living there.

“I think it's very much a psychological effort here, facilitated through cyber means when kinetic perhaps here wasn't the best choice,” said Graham.

Finally, Dragos’ field chief technology officer Phil Tonking said that while it’s important not to underplay FrostyGoop, it’s also important not to overhype it.

“It's important to recognize that whilst this is something that has been actively used,” he said during the call with the press, “it's also very, very important that we don't think that this is something that is immediately going to bring down the nation's power grid.”