Acalvio - Protecting OT and ICS Environments from Malware Exploiting Protocol Weaknesses

In April 2024, Ukraine’s Cyber Security Situation Center (CSSC) reported a new strain of ICS-targeting malware called FrostyGoop. The malware exploited industrial protocol weaknesses to disrupt a municipal energy provider responsible for heating over 600 residential buildings. Recovery took more than two days—leaving thousands without heating in sub-zero temperatures.

This incident highlights a growing and dangerous threat: malware designed specifically to exploit operational technology (OT) environments.

What Makes FrostyGoop Different?

FrostyGoop is the first documented malware with built-in exploit support for Modbus, one of the most widely used ICS protocols. Over Modbus TCP, the malware:

• Sends unauthorized commands to PLCs (Programmable Logic Controllers)
• Manipulates operational parameters remotely
• Disables industrial processes

In this case, attackers issued Modbus opcodes to write malicious values into PLC registers—effectively shutting down system operations.

Why ICS Protocols Are at Risk

Unlike modern IT protocols (HTTPS/TLS), industrial protocols such as Modbus and BACnet were not designed with security in mind. They:

• Lack authentication
• Lack encryption
• Accept commands from any client
• Are vulnerable to replay, spoofing, and man-in-the-middle attacks

This makes ICS networks extremely vulnerable when exposed—even briefly—to the internet or untrusted networks.

Beyond Segmentation: Why OT Needs Threat Detection

Network segmentation has long been the foundation of OT security—but it is no longer enough. Attackers can still bypass segmentation through:

• Exposed OT assets connected online
• Compromised VPNs or remote access systems
• Insider threats
• Misconfigured firewalls
• Supply chain access

With malware like FrostyGoop actively targeting ICS protocols, organizations must now adopt an “assume breach” approach and add threat detection capabilities into their OT defense strategy.

Why Traditional Detection Fails in OT

Legacy OT monitoring tools struggle against targeted ICS attacks:

Anomaly-based tools can flag suspicious traffic—but FrostyGoop uses valid Modbus commands that appear normal, making it largely invisible.

Acalvio Deception: A Smarter Way to Defend ICS

To detect ICS protocol abuse, defenders are now using cyber deception. Acalvio deploys OT-aware decoys—realistic replicas of PLCs, HMIs, field devices, and engineering workstations—designed to attract attackers.

Why deception works in OT environments:

• Detects unauthorized Modbus/BACnet commands instantly
• No signatures or baselining required
• Works even on leaf networks where NDR lacks visibility
• Identifies attacker reconnaissance early
• Provides high-fidelity, zero-false-positive alerts

Attackers scanning for Modbus devices will always interact with decoys first—providing early detection before real equipment is targeted.

Example: Stopping a FrostyGoop Attack with Deception

Attacker steps:

1. Scans network for Modbus PLCs nmap <subnet CIDR> -p 502
2. Deploys FrostyGoop to exploit Modbus-enabled PLCs
3. Issues shutdown commands

With Acalvio deception:

• Step 1 triggers an alert when attackers interact with decoy PLCs
• FrostyGoop wastes time on fake assets
• SOC teams are alerted before real systems are touched
• Response teams isolate and neutralize the threat

Protect Your OT with Acalvio – Available from Softprom

Acalvio is a leader in autonomous deception for OT and ICS environments. Its AI-powered Preemptive Cybersecurity Platform protects against:

• APT attacks
• Insider threats
• Protocol exploitation
• Industrial ransomware
• Identity misuse and lateral movement

As an official distributor of Acalvio, Softprom helps organizations secure IT, OT, and critical infrastructure against modern threat actors.

Want to strengthen your OT security posture?

Contact us to schedule a consultation or demo of Acalvio deception.