In January 2024, a cyberattack using the FrostyGoop malware targeted an industrial control system at a municipal district energy company in Lviv, Ukraine, causing a two-day heating outage affecting over 600 buildings.

The FrostyGoop malware, discovered in April 2024, manipulated ICS devices, leading to a 48-hour heating service disruption by causing inaccurate measurements in Lviv.

The attackers downgraded firmware on ENCO controllers, resulting in cold water being delivered instead of hot water to Lviv residents during the cyberattack.

Lviv residents endured freezing temperatures due to the heating outage caused by the cyberattack.

Firmware downgrades on controllers were performed to avoid detection during the attack using the FrostyGoop malware.

The cyberattack in Lviv is viewed as a form of psychological warfare aimed at weakening Ukraine's resolve in the conflict.

The attack on the heating infrastructure in Lviv is seen as part of Russia's ongoing aggression against Ukraine to undermine its will to resist.

Russia has been attacking Ukraine through various means, including cyberattacks and physical bombings, over the past decade.

Dragos recommends implementing cybersecurity practices like network segmentation, continuous monitoring, secure remote access, risk-based vulnerability management, and strong incident response capabilities to protect ICS environments from similar threats.

The lack of network segmentation allowed attackers to disrupt heating for 600 buildings by sending Modbus commands to district heating system controllers in Lviv.

More than 46,000 internet-exposed ICS devices are potentially vulnerable to FrostyGoop, prompting ongoing research to assess the extent of vulnerability.

Initial access to the energy company's network was likely gained by exploiting Mikrotik routers in April 2023, affecting ENCO controllers with exposed TCP port 502.