| Category | Details |
|---|---|
| Threat Actors | Russian Threat Actors (suspected based on the attack’s origin). |
| Campaign Overview | Attack on a Ukrainian municipal energy company using FrostyGoop/BUSTLEBERM malware. Caused a two-day heating outage affecting over 600 apartment buildings. |
| Target Regions (Victims) | Ukraine, with a focus on critical infrastructure (municipal energy systems). |
| Methodology | - Malware delivered via a vulnerability in a MikroTik router (or exposed OT devices). - Used Modbus TCP to manipulate ICS/OT devices. |
| Product Targeted | ENCO control devices, other Modbus TCP devices within critical infrastructure. |
| Malware Reference | FrostyGoop/BUSTLEBERM (OT-centric malware), associated with Russian threat actors. |
| Tools Used | - FrostyGoop malware (compiled in Go programming language). - go-encrypt.exe (used for encrypting/decrypting JSON). |
| Vulnerabilities Exploited | - MikroTik router vulnerability (unconfirmed method). - Exposed Modbus TCP devices accessible over the internet. |
| TTPs | - Use of Modbus TCP protocol to control ICS/OT devices. - JSON configuration files for targeting specific devices. - Telnet used for management of ENCO devices. |
| Attribution | Russian threat actors, inferred from malware association and tactics. |
| Recommendations | - Secure exposed OT devices from the internet. - Implement proper encryption and authentication for ICS communications. - Monitor for anomalous Modbus traffic. |
| Source | Unit42 by Palo Alto Networks |
Read full article : https://unit42.paloaltonetworks.com/frostygoop-malware-analysis/
The above summary has been generated by an AI language model
Leave a Reply