| Category | Details |
|---|---|
| Threat Actors | Russian Threat Actors (suspected based on the attack’s origin). |
| Campaign Overview | Attack on a Ukrainian municipal energy company using FrostyGoop/BUSTLEBERM malware. Caused a two-day heating outage affecting over 600 apartment buildings. |
| Target Regions (Victims) | Ukraine, with a focus on critical infrastructure (municipal energy systems). |
| Methodology | – Malware delivered via a vulnerability in a MikroTik router (or exposed OT devices). – Used Modbus TCP to manipulate ICS/OT devices. |
| Product Targeted | ENCO control devices, other Modbus TCP devices within critical infrastructure. |
| Malware Reference | FrostyGoop/BUSTLEBERM (OT-centric malware), associated with Russian threat actors. |
| Tools Used | – FrostyGoop malware (compiled in Go programming language). – go-encrypt.exe (used for encrypting/decrypting JSON). |
| Vulnerabilities Exploited | – MikroTik router vulnerability (unconfirmed method). – Exposed Modbus TCP devices accessible over the internet. |
| TTPs | – Use of Modbus TCP protocol to control ICS/OT devices. – JSON configuration files for targeting specific devices. – Telnet used for management of ENCO devices. |
| Attribution | Russian threat actors, inferred from malware association and tactics. |
| Recommendations | – Secure exposed OT devices from the internet. – Implement proper encryption and authentication for ICS communications. – Monitor for anomalous Modbus traffic. |
| Source | Unit42 by Palo Alto Networks |
Read full article : https://unit42.paloaltonetworks.com/frostygoop-malware-analysis/
The above summary has been generated by an AI language model
Related posts:
Cybercriminals target victims in Spain, Germany, Ukraine with Strela Stealer malware
Iran-linked group aims malware at aerospace industry through fake job recruiters
Dozens of Central Asian targets hit in recent Russia-linked cyber-espionage campaign
T-Mobile Breached in Major Chinese Cyber-Attack on Telecoms
Leave a Reply