- Residents of Lviv, Ukraine, faced a significant disruption when a cyberattack targeted a municipal energy company, resulting in a two-day heating outage.
- The attack on Lviv highlights a troubling trend of increased cyber threats against critical infrastructure.
OUR TAKE
Lviv experienced a digital chill when FrostyGoop malware shut off the heat for two days in January 2024. While it might sound like a movie plot where hackers cripple a city’s infrastructure, this was real life, and 600 buildings were left in the cold. Dragos had identified the malware last year but thought it was merely a test. It turned out to be a precursor to a winter assault. Ukraine’s resilience prevailed, with services restored, but the incident underscores a crucial lesson: the cyber winter is here, and we must stay vigilant in our tech defenses.
–Miurio huang, BTW reporter
What happened
Residents of Lviv, Ukraine, faced a significant disruption when a cyberattack targeted a municipal energy company, resulting in a two-day heating outage in January 2024. The attack, executed through malware identified as FrostyGoop, left over 600 apartment buildings without central heating amid freezing temperatures. The details of this incident were disclosed by cybersecurity firm Dragos, which reported that FrostyGoop is designed to specifically target industrial control systems, particularly those managing heating systems.
Dragos first detected FrostyGoop in April 2023 but initially believed it was only used for testing. However, Ukrainian authorities later informed Dragos that the malware was actively deployed in the attack on Lviv’s heating infrastructure from January 22 to January 23. The breach exploited vulnerabilities in the network, leading to the temporary loss of heating for nearly 48 hours. Ukrainian officials confirmed that the attack targeted LvivTeploEnergo, a major supplier of heat and hot water, but reassured that the situation was quickly addressed and services were restored.
Also read: Delta Air Lines faces major disruptions due to cyber outage
Also read: Chaotic scenes as global IT outage hits airports, banks and media
Why it’s important
The attack on Lviv highlights a troubling trend of increased cyber threats against critical infrastructure. This incident is the third known cyberattack affecting Ukrainian energy systems in recent years, underscoring the growing sophistication and impact of such attacks. The use of FrostyGoop demonstrates a strategic shift towards targeting essential services, which can have severe consequences for civilian life and public morale.
FrostyGoop’s design allows it to interact with industrial control devices using the Modbus protocol, a widely used system in industrial environments. This means the malware could potentially affect other facilities globally, given the existence of approximately 46,000 internet-exposed ICS devices using Modbus. The attack on Lviv, therefore, serves as a warning of the broader risks associated with cyber vulnerabilities in critical infrastructure.
Dragos’ report also sheds light on the method of the attack, revealing that hackers likely exploited an internet-exposed MikroTik router to gain access to the energy company’s network. The malware did not destroy physical controllers but instead caused them to report incorrect data, leading to operational failures and the heating outage. This approach emphasises the psychological and strategic nature of the attack, aiming to disrupt and demoralise rather than cause physical damage.
While Dragos has not attributed the attack to a specific hacking group or government, the use of Russian IP addresses for the attack raises questions about potential connections to state-sponsored actors. Nonetheless, Dragos cautions against overestimating the immediate threat posed by FrostyGoop, noting that while the malware is a serious concern, it is not capable of bringing down an entire national power grid.
The incident in Lviv highlights the urgent need for robust cybersecurity measures to protect critical infrastructure from increasingly sophisticated cyber threats. As cyberattacks become more targeted and impactful, the resilience of essential services and the ability to respond swiftly to such breaches are crucial for safeguarding public safety and maintaining operational integrity.
