Two new malware variants specifically designed to disrupt critical industrial processes were set loose on operational technology networks last year, shutting off heat to more than 600 apartment buildings in one instance and jamming communications to gas, water, and sewage network sensors in the other.
Up until the discovery of these two, dubbed Fuxnet and FrostyGoop and both used in the Russia-Ukraine war, there were only seven known industrial control system (ICS) malware variants in existence.
ICS-specific malware remains rare, and that’s because attackers generally don’t need to write code to disrupt industrial systems. It’s much easier to target operational technology (OT) devices with botnets and other generic malware — or simply abuse the native functionality of these industrial systems’ environments.
“In other words: if an electric system operator can open up a circuit breaker and de-energize a substation, so can an adversary using native functionality,” according to Dragos CEO and co-founder Robert M Lee. “So when malware comes around, it’s a pretty big deal, because there’s only been seven of them in the history of ICS that we’ve been able to find.”
Dragos specializes in OT cybersecurity, and Lee was speaking to reporters about his company’s annual year in review report. It turns out that 2024 was notable for several reasons, and most of them fall on the anxiety-inducing end of the security spectrum.
Ransomware, for example, skyrocketed among ICS orgs, increasing 87 percent year-on-year for a total of 1,693 infections in 2024. Of these, 25 percent involved a full shutdown while 75 percent disrupted operations to some degree.
The real numbers, however, are likely much higher, Lee said, noting that OT attacks are chronically under-reported.
While ransomware continues to plague companies across sectors, these new ICS-specific malware variants are troubling to security analysts in that they are unique — and, once developed and abused by governments or common criminals, more likely to multiply.
Fuxnet and FrostyGoop
Dragos spotted both attacks in April. In one of these, a pro-Ukraine hacktivist crew BlackJack claimed to compromise Moskollektor, a Moscow municipal organization that maintains the government’s communication system for a gas, water, and sewage network.
After compromising routers and sensor gateways, likely using default credentials, BlackJack deployed Fuxnet malware — and, we should note, there is an asterisk next to Dragos’ assertion that Fuxnet is the eighth-known ICS malware that says it’s still pending validation.
BlackJack claimed that the Fuxnet attack disabled thousands of devices, blocking all communications to the industrial sensors.
Dragos’ analysis of the malware revealed two components: a sensor gateway destructor composed of generic Linux wiper malware and a Meter-bus DOS component. Meter-bus is a European standard protocol for reading sensor data from water, gas, and electricity meters, and this ICS-specific component of the malware overwhelms sensors by sending many Meter-bus requests over a serial connection.
After the Moskollektor attack, the hacktivists also bragged about stealing organizational data, defacing social media accounts, accessing the emergency service number 112, and factory-resetting devices and workstations.
This should be taken with a grain of salt. The Dragos report says while it’s “likely that disruption to the industrial sensors and sensor gateways did occur… the extent of the disruption was not as significant as BlackJack claimed.”
And while Fuxnet malware appears to have been “highly tailored” to Moskollektor and “unlikely to be used against another industrial environment without significant changes to the codebase,” this doesn’t mean it’s irrelevant to critical infrastructure operators in other settings and geographic locations.
Fuxnet, according to Lee, “revealed tradecraft or knowledge about how to target other sites that other actors can pick up and start using.”
The more we see state and non-state actors using industrial control system malware and developing industrial control system malware, the more we should expect to see that proliferation
Industrial control system malware “is a very escalatory and proliferation style of malware — much more than IT malware,” Lee added. “The more we see state and non-state actors using industrial control system malware and developing industrial control system malware, the more we should expect to see that proliferation.”
The ninth-known ICS software nasty is one more people will have heard of. It’s called FrostyGoop, Dragos spotted it in April 2024, but said the attack began in late January 2024 and targeted temperature controllers of a municipal district energy company in Lviv, Ukraine, that supplied central heating to more than 600 apartment buildings.
“And you’ve got thousands of folks in sub-zero temperatures in January — it’s just a very scary thing for civilians,” Lee said. “It’s a very unfortunate, and honestly kind of cruel thing to do. It accomplished no real military objectives. It’s just hitting civilians.”
Plus, in addition to potentially killing people from lack of heat, FrostyGoop is the first-ever malware to use the Modbus protocol to send commands, including specifying targets, and also read and write data to ICS devices.
This is scary in that Modbus is a very commonly used protocol, and now that one group of miscreants has shown how it can be used to cause real-world harm, others have a blueprint to follow.
“Almost every industrial operation on the planet uses Modbus,” Lee said. “It’s not that we didn’t know or imagine or do research on how to use Modbus like that. The important part is somebody finally did it, and showed a way to do it in an attack. That normalizes it and shares that knowledge for other adversaries to pick it up and leverage it as well.”
Plus new threat groups targeting ICS
In addition to the two new ICS malware variants, Dragos also designated two new threat groups: the first of which, Bauxite, it says has attacked multiple critical infrastructure sectors in the US, Europe, Australia, and West Asia since 2023. This one, we’re told, shares “substantial technical overlaps” with pro-Iran hacktivist crew CyberAv3ngers, which the US government has linked to the Iranian Revolutionary Guard Corps.
The FBI and other federal agencies previosuly blamed CyberAv3ngers for “multiple” attacks against Unitronics PLCs used in American water and other critical infrastructure systems.
“Through 2025, Bauxite is expected to enhance its capabilities and attempt to conduct disruptive operations against OT/ICS entities globally,” the report warns.
The second new group, Graphite, has also been active since 2023 and used “near-constant spear-phishing operations” to send weaponized emails and custom script-based malware that exploited CVE-2023-23397, a Microsoft Outlook elevation of privilege flaw, and CVE-2023-38831, a WinRAR remote code execution flaw that allows arbitrary code execution.
And then you will start to see those lower frequency, high consequence attacks become higher frequency, high consequence attacks
Dragos notes that this group has “strong technical overlaps” with the Kremlin’s Fancy Bear (aka APT28), and The Register previously reported on this cyber-spy group abusing CVE-2023-23397 and CVE-2023-38831 for large-scale phishing campaigns against high-value targets including government, defense, and aerospace agencies in the US and Europe.
Specific to ICS orgs, Dragos says it spotted a Graphite phishing campaign in early 2023 targeting hydroelectric generation facilities across Eastern Europe and West Asia and exploited a no-click flaw in Microsoft Outlook to steal Windows authentication data.
Nation-state groups, criminals overlap
Lee also noted a trend that has been highlighted by other security analysts in recent reports, and that’s the increasingly blurred lines between nation-state cyberspies and financially motivated cybercriminals.
“There’s always been rumors,” he said, but in “the world of OT, you have almost no examples.”
This year, however, “we were able to show and confirm that there’s some pretty strong links between state and non-state actors,” Lee said, noting the connections between Russia’s GRU cybercrew Sandworm, which has been blamed for cyberattacks on US and European water plants under the guise of hacktivist group CyberArmyofRussia_Reborn.
“The reason this is so incredibly important,” according to Lee, is that government-backed groups “tend to be a little more focused in their attacks. They’ll create malware. They’ll show new ways to disrupt infrastructure. They’re low frequency, high consequence attacks. They don’t happen as often as IT attacks, but when they do, they’re very consequential.”
Criminals and hacktivists, on the other hand, are more opportunistic, “hitting anybody, anywhere they can,” Lee said.
The top concern coming from government officials and critical infrastructure owners and operators is that government attackers are sharing knowledge and capabilities with criminal groups, which previously haven’t had the technical capabilities to target industrial control systems.
“And then you will start to see those lower frequency, high consequence attacks become higher frequency, high consequence attacks,” Lee said. “That’s something, candidly speaking, most communities [are] simply not prepared for.” ®