Lvivteploenergo didn’t respond to WIRED’s request for comment, nor did the SBU. Ukraine’s cybersecurity agency, the State Services for Special Communication and Information Protection, declined to comment.
In its breakdown of the heating utility attack, Dragos says that the FrostyGoop malware was used to target ENCO control devices—Modbus-enabled industrial monitoring tools sold by the Lithuanian firm Axis Industries—and change their temperature outputs to turn off the flow of hot water. Dragos says that the hackers had actually gained access to the network months before the attack, in April 2023, by exploiting a vulnerable MikroTik router as an entry point. They then set up their own VPN connection into the network, which connected back to IP addresses in Moscow.
Despite that Russia connection, Dragos says it hasn’t tied the heating utility intrusion to any known hacker group it tracks. Dragos noted in particular that it hasn’t, for instance, tied the hacking to the usual suspects such as Kamacite or Electrum, Dragos’ own internal names for groups more widely referred to collectively as Sandworm, a notorious unit of Russia’s military intelligence agency, the GRU.
Dragos found that, while the hackers used their breach of the heating utility’s network to send FrostyGoop’s Modbus commands that targeted the ENCO devices and crippled the utility’s service, the malware appears to have been hosted on the hackers’ own computer, not on the victim’s network. That means simple antivirus alone, rather than network monitoring and segmentation to protect vulnerable Modbus devices, likely won’t prevent future use of the tool, warns Dragos analyst Mark “Magpie” Graham. “The fact that it can interact with devices remotely means it doesn’t necessarily need to be deployed to a target environment,” Graham says. “You may potentially never see it in the environment, only its effects.”
While the ENCO devices in the Lviv heating utility were targeted from within the network, Dragos also warns that the earlier version of FrostyGoop it found was configured to target an ENCO device that was instead publicly accessible over the open internet. In its own scans, Dragos says it found at least 40 such ENCO devices that were similarly left vulnerable online. The company warns that there may in fact be tens of thousands of other Modbus-enabled devices connected to the internet that could potentially be targeted in the same way. “We think that FrostyGoop would be able to interact with a huge number of these devices, and we’re in the process of conducting research to verify which devices would indeed be vulnerable,” Graham says.
While Dragos hasn’t officially linked the Lviv attack to the Russian government, Graham himself doesn’t shy away from describing the attack as a part of Russia’s war against the country—a war that has brutally decimated Ukrainian critical infrastructure with bombs since 2022 and with cyberattacks starting far earlier, since 2014. He argues that the digital targeting of heating infrastructure in the midst of Ukraine’s winter may actually be a sign that Ukrainians’ increasing ability to shoot down Russian missiles has pushed Russia back to hacking-based sabotage, particularly in western Ukraine. “Cyber may actually be more efficient or likely to be successful towards a city over there, while kinetic weapons are maybe still successful at a closer range,” Graham says. “They’re trying to use the full spectrum, the full gamut of available tools in the armory.”
Even as those tools evolve, though, Graham describes the hackers’ goals in terms that have changed little in Russia’s decade-long history of terrorizing its neighbor: psychological warfare aimed at undermining Ukraine’s will to resist. “This is how you chip away at the will of the people,” says Graham. “It wasn’t aimed at disrupting the heating for all of winter. But enough to make people to think, is this the right move? Do we continue to fight?”
