January Cyberattack Shut Down Central Heating Systems in Ukraine’s Lviv

• A cyberattack targeting Industrial Control Systems resulted in a heating outage in Lviv in January 2024.
• The threat actor deployed new malware against a large heating and hot water supplier, shutting down its systems.
• As a result, part of the city’s residents were exposed to sub-zero temperatures for two days.

A January cyberattack against a municipal energy company shut down its heating systems, leaving over 600 apartment buildings in Lviv, Ukraine, without central heating for two days in sub-zero temperatures, cybersecurity company Dragos reported on Tuesday.

The new malware, dubbed FrostyGoop, is designed for Industrial Control Systems (ICS) and is now particularly deployed against a type of heating system controller. The hackers targeted the information and communication infrastructure of heating and hot water supplier LvivTeploEnergo. 

The hackers may have gained access to LvivTeploEnergo’s network by exploiting a vulnerability in an internet-exposed, “inadequately segmented” MikroTik router – along with other servers and controllers, including one made by Chinese company ENCO.

Dragos first detected the ICS malware in April via a publicly available malware scanning repository. The Cyber Security Situation Center (CSSC) of the Security Service of Ukraine found evidence of FrostyGoop being used in a Lviv cyberattack during the late evening of January 22 through January 23. 

The FrostyGoop malware targets ICS devices communicating over the decades-old Modbus TCP, which is widely used in industrial environments. The malware aims to control and modify parameters via unauthorized commands.

LvivTeploEnergo’s systems malfunctioned and stopped delivering the heating agent to customers because hackers made controllers report inaccurate measurements.

The researchers' investigation concluded that the hackers may have had a foothold in the targeted network since April 2023 and used Moscow-based IP addresses on the day of the cyberattack.

According to the security report, at least 46,000 Internet-exposed ICS devices today allow Modbus, so malware like FrostyGoop could hit other companies and facilities anywhere. 

The Dragos security researchers found open ENCO controllers in Lithuania, Ukraine, and Romania.