New PathWiper Malware Strikes Ukraine’s Critical Infrastructure

A newly identified malware named PathWiper was recently used in a cyberattack targeting essential services in Ukraine. Cybersecurity experts at Cisco Talos reported the incident this week and shared details with Hackread.com.

For your information, wipers are a type of malware designed to erase or corrupt data on computer systems, making them unusable. In this attack, the cybercriminals managed to get into a legitimate system that manages computer networks. They likely had inside knowledge of this system, which allowed them to send harmful commands and spread PathWiper to connected devices, researchers noted.

“Throughout the course of the attack, filenames and actions used were intended to mimic those deployed by the administrative utility’s console, indicating that the attackers had prior knowledge of the console and possibly its functionality within the victim enterprise’s environment,” the company wrote in its blog post.

The malware works by replacing important parts of a computer’s file system with random information. It finds all connected storage devices, including hard drives and network drives, and then overwrites their contents. The attackers tried to make their actions look like normal operations of the network management tool to avoid detection.

Cisco Talos believes that a Russian-backed Advanced Persistent Threat (APT) actor is behind this disruptive attack. Their confidence comes from observing similar attack methods and the capabilities of this wiper malware, which match previously seen attacks on Ukrainian targets.

PathWiper shares some features with another wiper malware called HermeticWiper, which also targeted Ukrainian entities in 2022. Both PathWiper and HermeticWiper aim to damage key parts of a computer’s storage, like the Master Boot Record (MBR) and files related to the New Technology File System (NTFS).

However, there’s a key difference in how they corrupt drives. PathWiper is more advanced; it carefully identifies all connected drives, even those that are temporarily disconnected, and verifies them before wiping. In contrast, HermeticWiper uses a simpler method of just trying to corrupt a range of physical drives.

The attack shows the continuing danger to Ukraine’s critical infrastructure as the conflict with Russia carries on. It is recommended to use security products for endpoint protection, email security, firewalls, network analysis, and malware analysis. These tools help organizations detect and prevent malicious activity, block harmful emails and websites, and provide multi-factor authentication to allow access only to authorized users.