Researchers from Cisco Talos have recently identified a new data-wiping malware called “PathWiper,” which appears to be aimed at critical infrastructure in Ukraine. This attack bears the hallmarks of Russian involvement, as it aligns with tactics previously observed in cyberattacks against Ukraine since the onset of the conflict.
The attackers exploited an endpoint administration framework, manipulating tools designed for system security to launch their malware. By likely accessing an administrative console, they deployed the PathWiper payload across connected systems.
Cisco Talos has attributed this incident to a Russian-linked advanced persistent threat group with a high degree of confidence, indicating a strong belief in this assessment. A particularly insidious aspect of this attack is the manner in which the malware was delivered.
By issuing commands through an already compromised administrative console, the attackers disguised their activities in a way that appeared normal to network monitors. They initially deployed a seemingly innocuous VBScript named ‘uacinstall.vbs’, which then executed PathWiper, disguised as a legitimate system utility called ‘sha256sum.exe.’ This indicates that the attackers had been actively surveilling the networks for some time to better understand their targets.
Once activated, PathWiper systematically obliterates file system components, replacing them with random data, effectively rendering systems inoperable. It first catalogs all connected storage devices before methodically targeting them, employing techniques that allow it to bypass protections and maximize damage.
This thoroughness jeopardizes recovery efforts in the absence of secure, off-network backups. Moreover, there are notable similarities between PathWiper and another malware, HermeticWiper, which previously targeted Ukraine and has been linked to Russian cyber actors.
PathWiper showcases an evolution in malware sophistication, using intelligent targeting methods unlike its predecessor. The ongoing threat posed by Russian-backed hackers highlights the critical need for vigilance among organizations managing important services in Ukraine, such as energy and telecommunications.
The global implications of this situation also urge organizations to fortify their cybersecurity measures as state-sponsored cyberattacks continue to evolve and escalate.