Lvivteploenergo did not respond to WIRED’s request for comment, nor did the SBU. Ukraine’s cybersecurity agency, the State Service for Special Protection of Communications and Information, declined to comment.
In his analysis of the attack on the heating utility, Dragos explains that the FrostyGoop malware was used to target ENCO control devices (Modbus-enabled industrial monitoring tools sold by Lithuanian company Axis Industries) and modify their temperature outputs to cut off the flow of hot water. Dragos explains that the hackers had actually gained access to the network months before the attack, in April 2023, by exploiting a vulnerable MikroTik router as an entry point. They then established their own VPN connection to the network, which connected to Moscow IP addresses.
Despite the Russian connection, Dragos said he has not linked the heating network breach to any known hacking group he tracks. Dragos noted that he has not, for example, linked the hack to the usual suspects such as Kamacite or Electrum, Dragos’ internal names for groups more broadly referred to collectively as Sandworma notorious unit of Russia’s military intelligence agency, the GRU.
Dragos found that while the hackers took advantage of their breach of the heating company’s network to send FrostyGoop Modbus commands that targeted ENCO devices and crippled the company’s service, the malware appears to have been hosted on the hackers’ computer, not the victim’s network. That means simple antivirus alone, rather than network monitoring and segmentation to protect vulnerable Modbus devices, is unlikely to prevent the tool’s future use, warns Dragos analyst Mark “Magpie” Graham. “The fact that it can interact with devices remotely means it doesn’t necessarily need to be deployed in a target environment,” Graham says. “You may never see it in the environment, just its effects.”
While the Lviv heating company’s ENCO devices were targeted from the network, Dragos also warns that the earlier version of FrostyGoop it found was configured to target an ENCO device that was actually publicly accessible on the internet. In its own analysis, Dragos says it found at least 40 of these ENCO devices that were also made vulnerable online. The company warns that there could actually be tens of thousands of other Modbus-enabled devices connected to the internet that could potentially be targeted in the same way. “We believe that FrostyGoop would be able to interact with many of these devices, and we are currently conducting research to verify which devices would actually be vulnerable,” Graham says.
While Dragos has not officially linked the Lviv attack to the Russian government, Graham himself is quick to describe the attack as part of Russia’s war on the country — a war that has brutally decimated critical Ukrainian infrastructure with bombs since 2022 and with cyberattacks that began much earlier, since 2014. He argues that the digital targeting of heating infrastructure in the dead of the Ukrainian winter may actually be a sign that the Ukrainians’ growing ability to shoot down Russian missiles has pushed Russia back to hacking sabotage, particularly in western Ukraine. “Cyberattacks may actually be more effective or more likely to succeed against a city there, whereas kinetic weapons may still be effective at closer range,” Graham says. “They’re trying to use the full spectrum, the full range of tools that are available in the arsenal.”
Even as these tools evolve, Graham describes the hackers’ goals in terms that have hardly changed since Russia’s decade-long terrorizing of its neighbor: psychological warfare aimed at undermining Ukraine’s will to resist. “This is how you undermine the will of the people,” Graham says. “The goal wasn’t to disrupt the heat all winter. But enough to make people wonder if this is the right thing to do and if we should keep fighting.”