Live Active security incident? Get immediate response
MITRE ATT&CK® Campaign

C0041: FrostyGoop Incident

FrostyGoop Incident took place in January 2024 against a municipal district heating company in Ukraine. Following initial access via likely exploitation of external facing services, FrostyGoop was used to manipulate ENCO control systems via legitimate Modbus commands to impact the delivery of heating services to Ukrainian civilians.[1][2]

EnterpriseC0041CampaignObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

The FrostyGoop Incident matters because it connects ordinary enterprise intrusion paths to real-world disruption of heating services. MITRE describes a January 2024 incident against a Ukrainian municipal district heating company where likely exploitation of external-facing services preceded use of FrostyGoop to issue legitimate Modbus commands against ENCO control systems. For leaders, the lesson is that cyber-physical risk may not require exotic exploitation inside OT: exposed services, persistence, credentials, and weak visibility into control commands can become operational-resilience issues.

Executive priority

Prioritize this as an IT-to-OT continuity and public-service resilience scenario. Executives should ask whether internet-facing services that can reach operational environments are inventoried, patched, monitored, and segmented; whether Modbus write activity is visible and governed; and whether incident response plans cover loss of heating/control availability or loss of operator view. This object also supports audit and compliance discussions around vulnerability management, access control, OT network monitoring, change control, and evidence of recovery readiness.

Technical view

MITRE provides no official detection text for C0041, so defenders should validate coverage across the relationship chain rather than rely on a single signature. The campaign is related to likely exploitation of public-facing applications, web shell persistence, SAM credential access on Windows, application-layer protocol command-and-control, downgrade attack, system firmware activity, and ICS outcomes including Modify Parameter, Loss of View, and Loss of Availability. The key OT validation point is whether legitimate Modbus TCP traffic, especially writes to holding registers on port 502 between control servers and field controllers/RTUs/PLCs/IEDs, can be baselined, attributed to authorized operators/systems, and investigated when it changes process parameters.

Likely telemetry

  • Internet-facing application, web server, reverse proxy, and remote access logs
  • Web server file integrity, script creation/modification, and suspicious web shell indicators
  • Windows endpoint telemetry for SAM/registry access and local credential dumping behavior
  • Network flow, proxy, DNS, and application-layer command-and-control telemetry
  • OT network traffic including Modbus TCP on port 502, read/write function usage, source/destination assets, and register changes

Detection direction

  • Treat normal-looking Modbus commands as security-relevant when they write parameters, target sensitive registers, originate from unusual hosts, or occur outside approved maintenance windows.
  • Correlate external-facing exploitation and possible web shell activity with later internal movement toward OT networks and control servers.
  • Validate whether SAM access alerts and local administrator credential use are monitored on Windows systems that could bridge IT and OT operations.
  • Tune detections to distinguish authorized engineering/maintenance activity from unexpected parameter changes; false positives are likely during planned operations unless change windows and asset ownership are integrated.
  • Look for gaps caused by IT/OT monitoring separation, uninspected port 502 traffic, limited logging on field devices, missing web server file monitoring, and incomplete inventories of exposed services.

Mitigation priorities

  • Reduce and continuously manage exposure of public-facing services, prioritizing patching and remediation of internet-accessible systems that can provide a path toward OT.
  • Harden and monitor web servers for unauthorized scripts, file changes, and persistent access mechanisms such as web shells.
  • Limit credential reuse and local administrative access, especially on Windows systems with any path to operational networks.
  • Segment IT and OT networks and tightly control which systems can initiate Modbus TCP communications to control assets.
  • Restrict, monitor, and approve Modbus write capability; align allowed commands and parameter changes with engineering change-management processes.
Analyst notes and limits

The supplied ATT&CK object is a campaign entry, not a full intrusion report. The strongest decision value is the cross-domain linkage: likely enterprise initial access followed by ICS manipulation using FrostyGoop and legitimate Modbus commands. Glexia would use this to drive joint SOC, IR, vulnerability management, identity, and OT operations validation rather than a narrow malware-only review.

Platforms and tactics are not specified on the campaign object, and MITRE provides no official detection guidance for C0041. Related objects provide technical context, including FrostyGoop platforms and associated techniques, but local architecture, asset inventory, logging depth, and approved engineering practices are required to determine actual exposure or detection coverage.

Official MITRE ATT&CK definition

FrostyGoop Incident

FrostyGoop Incident took place in January 2024 against a municipal district heating company in Ukraine. Following initial access via likely exploitation of external facing services, FrostyGoop was used to manipulate ENCO control systems via legitimate Modbus commands to impact the delivery of heating services to Ukrainian civilians.[1][2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

5 rows
Domain ID Name Relationship / procedure
Enterprise T1003.002 Security Account Manager Sub-technique

During FrostyGoop Incident, the adversary retrieved the contents of the Security Account Manager (SAM) hive in the victim environment for credential capture.CitationDragos FROSTYGOOP 2024
Enterprise T1071 Application Layer Protocol

During FrostyGoop Incident, the adversary initiated Layer Two Tunnelling Protocol (L2TP) connections to Moscow-based IP addresses.CitationDragos FROSTYGOOP 2024
Enterprise T1505.003 Web Shell Sub-technique

FrostyGoop Incident deployed a ReGeorg variant web shell to impacted systems following initial access for persistence.CitationDragos FROSTYGOOP 2024
Enterprise T1689 Downgrade Attack

During FrostyGoop Incident, the adversary downgraded firmware on victim devices in order to impair visibility into the process environment.CitationDragos FROSTYGOOP 2024
Enterprise T1190 Exploit Public-Facing Application

FrostyGoop Incident was likely enabled by the adversary exploiting an unknown vulnerability in an external-facing router.CitationDragos FROSTYGOOP 2024
Relationship explorer

All related ATT&CK context

uses · Technique T1003.002: Security Account Manager Enterprise uses · Technique T1071: Application Layer Protocol Enterprise uses · Technique T1505.003: Web Shell Enterprise uses · Technique T1689: Downgrade Attack Enterprise uses · Technique T1190: Exploit Public-Facing Application Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
16c2de4b97f3779c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 16c2de4b97f3…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Dragos FROSTYGOOP 2024

    Mark Graham, Carolyn Ahlers, Kyle O'Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024.

    Open source URL
  2. [2]
    Nozomi BUSTLEBERM 2024

    Nozomi Networks Labs. (2024, July 24). Cyberwarfare Targeting OT: Protecting Against FrostyGoop/BUSTLEBERM Malware. Retrieved November 20, 2024.

    Open source URL
  3. [3]
    mitre-attack C0041
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use