This guide offers a comparative analysis of the FrostyGoop malware scripts, reviewing findings from a prominent ICS security report and discussions within the ICS security community. FrostyGoop, a set of scripts associated with ICS environments, has recently been the subject of analysis following differing reports from cybersecurity experts. While some experts characterize FrostyGoop as a sophisticated ICS-targeted attack linked to a Russian group, opinions shared in the SCADASEC mailing list suggest a different perspective.

Our independent analysis indicates that FrostyGoop lacks the advanced characteristics typically seen in state-sponsored malware.  Although FrostyGoop may possess some disruptive capabilities, its overall sophistication does not match that of other ICS-targeted malware, suggesting its threat level should be re-evaluated. Additionally, the claim that ENCO devices were targeted cannot be confirmed, as the sample appears to be a generic Modbus client with limited functionality, lacking conclusive evidence of involvement in the Ukrainian incident. Further investigation into the true nature of FrostyGoop is necessary to fully understand its implications for ICS cybersecurity.

What is FrostyGoop?

FrostyGoop is a rare type of malware specifically designed to target ICS. According to some cybersecurity experts, it is the ninth such malware, joining Trisis (Triton), CrashOverride (Industroyer), BlackEnergy2, Havex, Stuxnet, Industroyer2, PipeDream, and Fuxnet. Allegedly developed by the Sandworm team, a Russian state-sponsored APT group, FrostyGoop is believed to have been designed to disrupt OT by exploiting vulnerabilities in ICS networks.

An ICS security firm claimed FrostyGoop uses Modbus TCP communications, is written in Golang, and is compiled for Windows systems. This makes it particularly suited for ICS environments where these communication protocols and platforms are prevalent.

Event Overview: The Lviv Heating Systems

In January 2024, a leading ICS security firm reported a cyberattack on Lviv's heating infrastructure, allegedly carried out using the FrostyGoop malware. It attributed the attack to the FrostyGoop malware "Russian-linked malware was used in a January 2024 cyberattack to cut off the heating of over 600 apartment buildings in Lviv, Ukraine, for two days during sub-zero temperatures." The attackers reportedly gained initial access by exploiting vulnerabilities in externally facing routers and "downgraded the firmware on the ENCO controllers, deploying a version that lacks monitoring capabilities," leading to a heating disruption.

However, SCADASEC presents a different account based on official Ukrainian sources, stating that only 324 Individual Heating Units (IHUs) were affected, not 600 apartment buildings, and that "the heat supply was restored in 6 hours to 50% and 13 hours to 100%, not the 48 hours claimed in the report." SCADASEC also questions the role of ENCO devices in this incident. According to SCADASEC, ENCO devices are primarily used to read data from heat meters and deliver status data to a central server, with no evidence of their involvement in controlling physical processes. This function is supported by the Technical Specification Document, which outlines their purpose and capabilities.

Additionally, SCADASEC argues there is no mention of these devices supporting the Modbus protocol for control functions, although data from the meters could potentially be converted from Mbus to Modbus for transmission purposes—but only for transferring readings. This suggests, in SCADASEC's view, that ENCO devices, if involved at all, had a limited role that may not align with the attack scenario that has been proposed in the ICS security firms threat intel report. Additional details about the types of ENCO devices sold in Ukraine, such as data loggers with GPRS modems, support this interpretation. For example, the Elmisto ENCO Device Listing shows these devices are primarily intended for data logging rather than direct control of heating systems.

SCADASEC also claims that there is no direct evidence confirming that ENCO devices were targeted or affected in the incident. They point out that the only link to ENCO devices comes from a hard-coded IP address in a configuration file found on VirusTotal, which points to an ENCO device in Romania—not Lviv. Furthermore, according to SCADASEC, there are no exposed ENCO devices in Lviv, based on Shodan scans, suggesting they were never online or exposed in this region SCADASEC Follow-Up Report.

Lviv Mayor Andriy Sadovyi acknowledged the incident, describing it as a "malfunction," while adding, "there is a suspicion of external interference in the company's work system, which is currently being investigated." This ambiguity highlights the contested nature of the event and the differing narratives presented by the ICS security firm and SCADASEC.

This white-paper explores:

• Event Overview
• Technical Analysis
• Static and Dynamic Analysis
• MITRE ATT&CK Mapping and Cyber Kill Chain Analysis
• MITRE Mitigation Strategies
• Comparative Analysis with Known ICS Malware
• Comparison of FrostyGoop with Known ICS Malware

Conclusion

The characteristics of FrostyGoop, such as its lack of multi-stage payloads, self-propagating mechanisms, and protocol manipulation specificity, may suggest a different threat profile compared to other well-known ICS-targeted malware like Stuxnet, Triton, and CrashOverride. While it may have some disruptive capabilities in an unprotected environment, its overall lack of sophistication suggests it is not in the same category as these more advanced threats.

Further investigation is necessary to determine whether FrostyGoop represents a novel, less sophisticated threat actor’s attempt at targeting ICS, or if it is simply a low-level experimental tool with limited real-world impact.

SCADASEC’s Counterpoints and Further Analysis

According to SCADASEC, “the discovered sample is a generic Modbus client capable of reading and writing analog outputs (basically 0-100% values).” This aligns with our findings, which suggest the malware is more of a basic tool than a sophisticated weapon. SCADASEC also highlights that the connection to ENCO devices is tenuous, noting, “the only relation to ENCO devices… is the IP address in Romania,” which casts doubt on the malware’s involvement in the Lviv incident.

Note of caution
While FrostyGoop may have some limited disruptive potential in unprotected environments, the current evidence does not substantiate claims that it was involved in the Lviv incident or that ENCO devices were targeted. Further investigation is required to fully understand its origin and purpose.

References

1. ICS Security Threat Report on FrostyGoop
2. SCADASEC Response to ICS Security Threat Report Fedback 1
3. SCADASEC Response to ICS Security Threat Report Feedback 2
4. Malware Sample Analysis