Lvivteploenergo did not respond to WIRED’s request for comment, nor did the SBU. Ukraine’s cybersecurity agency, the State Services for Special Protection of Communications and Information, declined to comment.
In his analysis of the heating network attack, Dragos claims that the FrostyGoop malware was used to target ENCO control devices (Modbus-enabled industrial monitoring tools sold by Lithuanian company Axis Industries) and change their temperature outputs to turn off the flow of hot water. Dragos claims that the hackers had gained access to the network months before the attack, in April 2023, by exploiting a vulnerable MikroTik router as an entry point. They then set up their own VPN connection to the network, which connected to IP addresses in Moscow.
Despite that connection to Russia, Dragos says he has not linked the heating network intrusion to any known hacking groups he is tracking. Dragos noted in particular that he has not, for example, linked the attack to the usual suspects, such as Kamacite or Electrum — the internal names Dragos himself gives to groups collectively referred to as Sandworm, a notorious unit of the Russian military intelligence agency, the GRU.
Dragos found that while the hackers used their breach of the heating company’s network to send FrostyGoop Modbus commands that targeted ENCO devices and crippled the company’s service, the malware appears to have been hosted on the hackers’ own computer, not the victim’s network. That means simple antivirus alone — rather than network monitoring and segmentation to protect vulnerable Modbus devices — likely won’t prevent future use of the tool, warns Dragos analyst Mark “Magpie” Graham. “The fact that it can interact with devices remotely means it doesn’t necessarily need to be deployed in a target environment,” Graham says. “You might never see it in the environment, just its effects.”
While the Lviv heating company’s ENCO devices were attacked from within the network, Dragos also warns that the earlier version of FrostyGoop he found was configured to attack an ENCO device that was instead publicly accessible over the Internet. In his own analyses, Dragos claims to have found at least 40 such ENCO devices that were left similarly vulnerable on the Internet. The company warns that there may in fact be tens of thousands of other Modbus-enabled devices connected to the Internet that could be attacked in the same way. “We believe FrostyGoop could interact with a large number of these devices, and we are in the process of conducting research to verify which devices would actually be vulnerable,” Graham says.
While Dragos has not officially linked the Lviv attack to the Russian government, Graham himself does not refrain from describing the attack as part of Russia’s war on the country, a war that has brutally decimated critical Ukrainian infrastructure with bombs since 2022 and with cyberattacks that began much earlier, as far back as 2014. He argues that the digital attack on heating infrastructure in the middle of the Ukrainian winter may actually be a sign that the Ukrainians’ growing ability to shoot down Russian missiles has caused Russia to once again turn to hacking-based sabotage, especially in western Ukraine. “It’s actually possible that cyberattack is more efficient or more likely to succeed in a city there, whereas kinetic weapons are perhaps still successful at closer range,” Graham says. “They’re trying to use the full spectrum, the full range of tools available in the arsenal.”
Yet even as those tools evolve, Graham describes the hackers’ goals in terms that have changed little in the decade Russia has been terrorizing its neighbor: psychological warfare aimed at undermining Ukraine’s will to resist. “This is how you undermine the will of the people,” Graham says. “It wasn’t meant to shut off heat for the entire winter, but it was meant to shut off enough to make people wonder: Is this the right move? Are we still fighting?”