On August 23, OPSWAT participated in the VISD (Vietnam Information Security Day) 2024 conference, hosted by the VNISA (Vietnam Information Security Association) in Ho Chi Minh City. The event drew over 1,000 attendees, including industry professionals from sectors such as healthcare, banking, finance, energy, transportation, nuclear, defense, and other critical infrastructure industries.
Securing Critical Infrastructure: Lessons from the Recent FrostyGoop Malware Attack
During the keynote conference, Mr. Cuong La, Vice President of R&D and General Director of OPSWAT Vietnam, discussed the FrostyGoop attack, a recent operational technology (OT) breach in Ukraine, as a case study. Mr. Cuong analyzed the attack and introduced solutions to counter it and similar OT network attacks.
The FrostyGoop cyberattack, taking place in April 2024, was a significant event in the field of industrial cybersecurity. This malware targeted an energy facility in western Ukraine, leaving 600 households without heat for two days during freezing temperatures. Designed to infiltrate ICS (Industrial Control Systems) and OT environments, the malware poses a serious threat to critical infrastructure.
FrostyGoop exploits the Modbus protocol, a widely used standard in ICS, to interact with and disrupt operations. Hackers send malicious Modbus commands into control systems, causing malfunctions and system failures. This incident has raised alarms in the cybersecurity community, highlighting vulnerabilities in ICS environments, particularly those lacking proper segmentation or monitoring.
Here are the steps carried out by attackers in the FrostyGoop cyberattack:
- Exploit a vulnerability in an externally-facing MikroTik router.
- Deploy a web shell with tunnel access via TOR address.
- Retrieve Security Account Manager (SAM) registry hive.
- Deploy and test FrostyGoop Malware, a Golang binary using JSON configurations.
- Establish connections to Moscow-based IP addresses.
- Send malicious Modbus commands to FrostyGoop.
- Send commands directly to the heating system controllers, reporting false measurements.
- The energy facility temporarily shuts down heating and hot water supply based on faulty measurements.
Mr. Cuong and his team at OPSWAT identified 1,137 Modbus active devices in Vietnam that were detectable on the Internet, of which a significant number were concentrated in Ho Chi Minh City (197 devices) and Hanoi (145 devices). These devices are meant to be shielded and undetectable online, as OT systems are typically isolated from the Internet (air-gapped).
Exposed OT networks are attractive targets for hackers, and the potential damage can be substantial, given that these networks often support critical infrastructure, impacting national security and communities. This finding suggests that many OT systems in Vietnam are inadequately managed and protected, creating security vulnerabilities that can be exploited by attackers.
Through this case study, Mr. Cuong emphasized the urgent need for enhancing IT/OT network security, and continuous monitoring to detect and mitigate similar threats. The FrostyGoop incident serves as an important reminder of why organizations must prioritize cybersecurity investments, especially to protect critical infrastructure.
For best practices, Mr. Cuong outlined 5 cybersecurity control tactics that, when utilized together, create an effective industrial control system (ICS) or OT security program (1):
ICS Incident Response
Develop an operations-informed incident response plan with focused system integrity and recovery capabilities during an attack. Conduct exercises designed to reinforce risk scenarios and use cases tailored to the ICS environment.
Defensible Architecture
Implement architectures that support visibility, log collection, asset identification, segmentation, industrial DMZs, and process-communication enforcement.
ICS Network Visibility Monitoring
Continuously monitor the ICS environment with protocol-aware tools and system interaction analysis capabilities to inform operations of potential risks.
Secure Remote Access
Identify and inventory of all remote access points and allowed destination environments. Utilize on-demand access and multi-factor authentication where possible and employ jump hosts to provide control and monitor access within secure segments.
Risk-Based Vulnerability Management
Assess cyber controls and device operating conditions that aid in risk-based vulnerability management decisions to patch for vulnerabilities, mitigate any impact, or monitor for possible exploitation.
Mr. Cuong also introduced OPSWAT’s comprehensive solutions for protecting critical OT networks, including MetaDefender OT Security, MetaDefender Industrial Firewall, MetaDefender Netwall, My OPSWAT, etc. These solutions protect networks at all levels, helping organizations combat OT network threats like FrostyGoop.
OPSWAT Showcased Our End-to-End Suite of IT/OT Cybersecurity Solutions
At the event's exhibition, OPSWAT also showcased its cybersecurity solutions from IT to OT and demonstrated simulations of cyberattacks targeting nuclear power plants and other critical IT/OT systems. Cybersecurity experts presented OPSWAT’s solutions for successfully defending against these attacks.
Additionally, OPSWAT always welcomes experts, engineers, and cybersecurity students to experience and learn about the company’s security technologies at the Critical Infrastructure Protection Lab (CIP Lab) at our two offices in Vietnam:
- OPSWAT Ho Chi Minh City Office: 17th Floor, Saigon Giai Phong Building, 436-438 Nguyen Thi Minh Khai, Ward 5, District 3, Ho Chi Minh City.
- OPSWAT Hanoi Office: 9th Floor, Lancaster Luminaire Building, 1152-1154 Lang Street, Lang Thuong Ward, Dong Da District, Hanoi.
To register for a CIP Lab experience or if you are interested in learning more about Mr. Cuong La’s presentations at VISD 2024, or have any questions, contact our critical infrastructure cybersecurity experts.
(1) Reference: The Five ICS Cybersecurity Critical Controls Whitepaper - ©2022 SANS Institute https://sansorg.egnyte.com/dl/R0r9qGEhEe
