FrostyGoop
FrostyGoop is a Windows-based binary written in Golang that allows for interaction with industrial control system (ICS) equipment via Modbus TCP over port 502. FrostyGoop allows for reading and writing data to holding registers on targeted devices, manipulating the operation of systems for malicious purposes. FrostyGoop is associated with the FrostyGoop Incident in Ukraine.[1][2]
Associated Software Descriptions
| Name | Description |
|---|---|
| BUSTLEBERM |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| ICS | T0807 | Command-Line Interface |
FrostyGoop is compiled for Windows systems and leverages a Windows-based command line interface.[1] Modbus interaction functionality is based off a publicly available Github repository for command line input.[2] |
|
| ICS | T0885 | Commonly Used Port |
FrostyGoop communicates using the Modbus protocol over the standard port of TCP 502.[1] |
|
| ICS | T0836 | Modify Parameter |
FrostyGoop allows for the modification of system settings by reading and writing to registers via Modbus commands.[1][2] |
|
| ICS | T0801 | Monitor Process State |
FrostyGoop can read data from holding registers via Modbus communication.[1] |
|
| ICS | T0869 | Standard Application Layer Protocol |
FrostyGoop utilizes the Modbus protocol for transmitting commands to victim devices.[1] |
|
Campaigns
| ID | Name | Description |
|---|---|---|
| C0041 | FrostyGoop Incident |
FrostyGoop Incident used FrostyGoop to manipulate OT devices to induce a district heating disruption in Ukraine.[1] |