FrostyGoop Incident

FrostyGoop Incident took place in January 2024 against a municipal district heating company in Ukraine. Following initial access via likely exploitation of external facing services, FrostyGoop was used to manipulate ENCO control systems via legitimate Modbus commands to impact the delivery of heating services to Ukrainian civilians.^[1]^[2]

ID: C0041

First Seen: January 2024 ^[1]

Last Seen: January 2024 ^[1]

Version: 1.0

Created: 20 November 2024

Last Modified: 05 March 2025

Techniques Used

Domain	ID	Name	Use
ICS	T0826	Loss of Availability	During FrostyGoop Incident, the adversary modified victim control system parameters resulting in the loss of heating services to impacted district heating customers.^[1]
ICS	T0829	Loss of View	During FrostyGoop Incident, the adversary initiated a firmware downgrade on victim devices to a version lacking monitoring.^[1]
ICS	T0836	Modify Parameter	In FrostyGoop Incident, the adversary caused the victim controllers to report incorrect measurements by modifying parameters.^[1]
ICS	T0857	System Firmware	During FrostyGoop Incident, the adversary initiated a firmware downgrade on impacted devices.^[1]

Software

ID	Name	Description
S1165	FrostyGoop	FrostyGoop Incident used FrostyGoop to manipulate OT devices to induce a district heating disruption in Ukraine.^[1]

References

Mark Graham, Carolyn Ahlers, Kyle O'Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024.

Nozomi Networks Labs. (2024, July 24). Cyberwarfare Targeting OT: Protecting Against FrostyGoop/BUSTLEBERM Malware. Retrieved November 20, 2024.

FrostyGoop Incident

ICS Layer

Techniques Used

Software

References