Russian Cyber Attack Targets Ukrainian Heating Facilities
Neither Lvivteploenergo nor the SBU responded to WIRED’s requests for comment. Ukraine’s cybersecurity agency, the State Special Communications and Information Protection Service, declined to comment.
Analysis of the Attack and Malware Used
In a detailed analysis of the attack on heating facilities, Dragos said FrostyGoop malware was used to target ENCO control equipment, a Modbus-enabled industrial monitoring tool sold by Lithuanian company Axis Industries, and alter its temperature output to shut down the flow of hot water. Dragos said the hackers actually gained access to the network months before the April 2023 attack by using vulnerable MikroTik routers as entry points. They then established their own VPN connection within the network, which connected back to a Moscow IP address.
Implications and Future Threats
Despite the ties to Russia, Dragos said it had not linked the heating utility intrusion to any known hacking group it tracks. Dragos specifically noted that it did not link the hack to the usual suspects such as Kamacite or Electrum, for example. Dragos found that while the hackers exploited a breach of the heating utility’s network to send FrostyGoop’s Modbus commands to target ENCO equipment and disable the utility’s service, the malware appeared to be hosted on the hackers’ own computers. Not on the victim’s network. Dragos analyst Mark “Magpie” Graham warned that this means simply using simple antivirus software, rather than network monitoring and segmentation, to protect vulnerable Modbus devices may not prevent future use of the tool.
While the ENCO devices at the Lviv heating facility were attacked from within the network, Dragos also warned that an early version of FrostyGoop it discovered was configured to target ENCO devices that were publicly accessible over open networks. Dragos said that in its own scans, it found at least 40 such ENCO devices that were also vulnerable on the network. The company warns that there may be literally tens of thousands of other Modbus-enabled devices connected to the Internet that could be targeted in the same way. “We believe FrostyGoop will be able to interact with a large number of these devices, and we are conducting research to verify which devices are indeed vulnerable,” Graham said.
Russia’s Continued Cyber Warfare
While Dragos has yet to formally link the Lviv attack to the Russian government, Graham himself has not shied away from describing the attack as part of Russia’s war on the country – a war that has begun in 2022 with the Bombs brutally destroyed critical infrastructure in Ukraine, and cyberattacks began as early as 2014. Carry out hacker-based sabotage activities, particularly in western Ukraine. “Cybers may actually be more effective, or more likely to successfully attack cities there, whereas kinetic weapons may still be successful at closer ranges,” Graham said. “They’re trying to use full-spectrum, all-area available. arms.
Yet even as these tools continue to evolve, the way Graham describes the hackers’ targets has changed little over Russia’s decade-long history of terrorizing its neighbors: psychological warfare aimed at weakening Ukraine’s will to resist. “That’s how you weaken people’s will,” Graham said. “It’s not designed to interrupt heating all winter long. But it’s enough to make people think, is this the right move? Are we going to keep fighting?”