By Emmanuel Ogbodo
Over the past decade, Russia has tested various methods to attack Ukraine’s civilians, using both physical and digital means. Winter has often been a key part of this strategy, with cyberattacks on electric utilities leading to blackouts and relentless bombing of heating infrastructure. Last January, Russia-linked hackers adopted a new tactic to leave Ukrainians shivering: a piece of malware that directly interfered with a Ukrainian heating utility, cutting off heat and hot water to hundreds of buildings during a severe winter freeze.
On Tuesday, industrial cybersecurity firm Dragos unveiled FrostyGoop, a newly discovered malware sample believed to have been used in a late January cyberattack against a heating utility in Lviv, Ukraine. The attack disabled service to 600 buildings for about 48 hours by altering temperature readings and tricking control systems into cooling the hot water in the buildings’ pipes. This incident marks the first confirmed case of hackers directly sabotaging a heating utility.
Dragos reports that the attack occurred during Lviv’s typical January cold spell, forcing residents to endure sub-zero temperatures. Dragos analyst Kyle O’Meara bluntly describes the attack as “a shitty thing” to do in the middle of winter.
The FrostyGoop malware, one of fewer than ten known samples designed to interact with industrial control systems, is unique in its use of Modbus, a common but insecure protocol for industrial communication. Dragos discovered the malware in April, likely uploaded to a malware scanning service for testing. Collaborating with Ukraine’s Cyber Security Situation Center, Dragos linked the malware to the January 22 attack on Lviv’s heating utility.
Though Dragos has not confirmed the utility’s name, the attack closely aligns with reports of a heating outage at Lvivteploenergo, affecting nearly 100,000 people. The utility’s outage was initially described as a “malfunction,” but later acknowledged as a “hacker attack.”
Dragos explains that FrostyGoop targeted ENCO control devices—Modbus-enabled tools from Axis Industries—by altering their temperature outputs to stop hot water flow. Hackers accessed the network months prior through a vulnerable MikroTik router, establishing a VPN connection to IP addresses in Moscow.
Despite the connection to Russia, Dragos has not linked the attack to any known hacker group, such as Kamacite or Electrum, associated with Russia’s GRU. The malware appears to have been hosted on the hackers’ own computers rather than the victim’s network, meaning traditional antivirus alone may not detect it. Dragos warns that FrostyGoop’s ability to interact with devices remotely means it may not always be visible in the target environment.
Dragos also found an earlier version of FrostyGoop targeting an ENCO device accessible over the open internet. They identified at least 40 such vulnerable devices and suspect tens of thousands of other Modbus-enabled devices online could be similarly targeted.
While Dragos hasn’t officially connected the Lviv attack to the Russian government, Graham views it as part of Russia’s broader campaign against Ukraine. He suggests that as Ukrainian defences against Russian missiles improve, Russia may increasingly rely on cyber sabotage. “Cyber may be more effective in certain situations while kinetic weapons remain useful closer to the front lines,” Graham notes. The goal remains psychological warfare aimed at eroding Ukraine’s resolve. “This is how you chip away at the will of the people,” Graham says. “It’s not about disrupting heat for the entire winter but making people question their resistance.”
