Full Report
This post is the third part of our blog series that tackles the Russia-Ukraine war in the digital realm.
Analysis Summary
# Incident Report: Coordinated Cyber Attacks on Ukrainian and Russian Critical Infrastructure
## Executive Summary
Between April 2023 and January 2025, sophisticated malicious actors, primarily the Russian-aligned APT44 (Sandworm) and various pro-Ukrainian hacktivist groups (CARR, Yellow Drift, UCA, C.A.S.), conducted targeted disruptive and espionage-focused cyberattacks against critical infrastructure in Ukraine, Russia, Poland, and the US. The most severe incident involved APT44 exploiting an unpatched router vulnerability to deploy custom ICS malware ("FrostyGoop") against Ukrainian energy companies, severely impacting heating supplies. Concurrently, hacktivists targeted water, energy, and government procurement IT systems across multiple nations.
## Incident Details
- **Discovery Date:** April 2024 (Notification regarding the Lvivteploenergo event)
- **Incident Date:** Initial intrusion in April 2023; Major impact events in Jan 2024, March 2024, and Jan 2025.
- **Affected Organization:** Ukraine (Lvivteploenergo, 20+ energy/utility entities); US (2 water utilities, 1 energy company); Poland (4 water utilities); France (1 hydroelectric facility); Russia (Roseltorg, Nodex, AVANPOST).
- **Sector:** Energy, Municipal Utilities (Water/Heat), Technology, Government Procurement.
- **Geography:** Ukraine, United States (Texas), Poland, France, Russia.
## Timeline of Events
### Initial Access
- **Date/Time:** April 17, 2023
- **Vector:** Exploitation of an internet-exposed MikroTik router vulnerability (APT44 targeting Ukraine).
- **Details:** Initial breach of Lvivteploenergo's network, leading to subsequent malware deployment via a shared service provider across multiple targeted entities.
### Lateral Movement
- **Date/Time:** April 20, 2023 (3 days post-initial access)
- **Vector:** Web shell deployment for persistence.
- **Details:** Attackers moved through the network, failing to be adequately prevented due to poor network segmentation between IT and OT environments.
### Data Exfiltration/Impact
- **Date/Time:** November - December 2023
- **Vector:** Credential theft.
- **Details:** Stole user credentials from the Security Account Manager (SAM) registry hive.
- **Date/Time:** January 2024
- **Vector:** ICS Manipulation using custom malware.
- **Details:** Malicious Modbus commands sent to ENCO controllers at Lvivteploenergo, disrupting heating and hot water supply for 600+ buildings during sub-zero temperatures.
### Detection & Response
- The Lvivteploenergo breach was discovered after the outage in January 2024 when the CSSC was notified.
- Response involved the investigation by CERT-UA, which identified the broader campaign by APT44 against 20 entities.
- Response leveraged industry analysis (Dragos) to understand the novel OT malware, FrostyGoop.
## Attack Methodology
- **Initial Access:** Exploiting Internet-facing vulnerabilities (MikroTik router); Supply chain compromise via shared IT service providers; Compromised employee accounts for ICS maintenance staff.
- **Persistence:** Deployment of a custom web shell.
- **Privilege Escalation:** Implied via credential theft from the SAM registry hive.
- **Defense Evasion:** Use of novel, signature-less malware ("FrostyGoop") written in Golang; Targeting core OT protocols (Modbus).
- **Credential Access:** Theft of user credentials via registry hive access.
- **Discovery:** Reconnaissance likely conducted over the long access period (April 2023 - Jan 2024).
- **Lateral Movement:** Movement from IT network into Operational Technology (OT) environment due to lack of segmentation.
- **Collection:** Credential theft; Data exfiltration claimed against Roseltorg (550TB) and AVANPOST (60TB).
- **Exfiltration:** Claimed data theft against Roseltorg (backups, emails, certificates).
- **Impact:** Physical disruption of critical services (heating, water, electricity) via manipulation of ICS/SCADA systems. Some attacks potentially involved wiper activity (AVANPOST, Nodex).
## Impact Assessment
- **Financial:** Not explicitly detailed, but significant due to widespread utility disruption and the scale of claimed data theft (550TB).
- **Data Breach:** Significant data theft claimed against Russian entities by hacktivists (550TB from Roseltorg, proprietary security solutions from AVANPOST).
- **Operational:** Severe disruption to municipal heating in Lviv during winter; Loss of tens of thousands of gallons of water in Texas; Disruption to electricity generation in France; Complete data destruction claimed against AVANPOST and Nodex.
- **Reputational:** High profile nature of attacks against national infrastructure leading up to and coinciding with major physical missile strikes (March 2024).
## Indicators of Compromise
*(Note: Indicators are defanged as per instructions)*
- **Network indicators:** Modbus TCP traffic on port 502 potentially originating from unusual hosts within the corporate network.
- **File indicators:** Novel FrostyGoop malware (Golang compiled for Windows, unknown hash/signature at time of deployment).
- **Behavioral indicators:** Execution of malicious Modbus commands targeting ENCO controllers; Use of stolen credentials for legacy system maintenance accounts.
## Response Actions
- **Containment:** Detection of indicators across multiple entities via CERTS allowed for partial containment/identification of the broader APT44 scope.
- **Eradication:** Investigation and analysis of the FrostyGoop malware to develop specific countermeasures.
- **Recovery:** Restoration of services in affected areas (e.g., Nodex reported restoring from backups; Lviv restoration after winter period).
## Lessons Learned
- **Supply Chain Risk:** Shared service providers represent a critical, frequently unsegmentable vulnerability point for broad targeting across multiple infrastructure entities.
- **OT Visibility:** Inadequate network segmentation between IT and OT environments allows IT breaches to rapidly pivot into physical process disruption.
- **Zero-Day/Novel Threats:** The successful use of zero-day or novel malware (FrostyGoop) that bypassed existing AV/EDR protections highlights the need for behavioral monitoring in OT environments.
- **Proactive Patching:** Failure to patch publicly exposed device vulnerabilities (MikroTik) after nearly a year provided extended access for the threat actor.
## Recommendations
- Implement stringent network segmentation, adhering to Purdue Model guidelines, to isolate OT systems from IT networks.
- Mandate multi-factor authentication and zero-trust principles, especially for accounts used for ICS/SCADA maintenance and remote access.
- Enhance monitoring of industrial protocols (e.g., Modbus) for anomalous command patterns rather than relying solely on signature-based antivirus on OT hosts.
- Conduct comprehensive lifecycle management and patching programs for all internet-facing network hardware, particularly routers and VPN gateways.