A critical infrastructure entity within Ukraine has fallen victim to a new wiper malware identified as PathWiper, according to a recent analysis by Cisco Talos.
The details of the attack revealed that it was carried out using a legitimate endpoint administration framework, suggesting that the attackers had previously gained access to the administrative console. Researchers Jacob Finn, Dmytro Korzhevin, and Asheer Malhotra noted that malicious commands were issued through the console to deploy PathWiper on connected endpoints. More details from Cisco Talos.
This incident is believed to be linked to a Russia-nexus advanced persistent threat (APT), as similar tradecraft has been observed in previous attacks against Ukrainian targets. Cisco Talos described how the malware executes commands that allow it to overwrite vital storage artifacts, including the Master Boot Record and other NTFS files, with random data, effectively destroying the victim’s data.
PathWiper reportedly shares characteristics with another malware, HermeticWiper, which was associated with Russia’s invasion of Ukraine in February 2024. Although both malware types target the same data structures, their mechanisms for data corruption differ, suggesting a continued evolution of cyber threats against Ukrainian infrastructure during the ongoing conflict.
Furthermore, the emergence of Silent Werewolf, a cyber espionage group, has been noted concurrently as they launch campaigns against entities in Moldova and Russia, utilizing similar tactics. The Russian cybersecurity firm BI.ZONE indicated that phishing attacks have enabled these intrusions, highlighting the persistent vulnerabilities within the region. BI.ZONE’s findings on Silent Werewolf.
In the face of these challenges, Ukrainian organizations are advised to bolster their cybersecurity frameworks and remain vigilant against potential attacks as malicious actors persist in exploiting weaknesses for data destruction.