Destructive ‘PathWiper’ Targeting Ukraine’s Critical Infrastructure

Russian threat actors are once again targeting Ukraine’s critical infrastructure with destructive malware, a fresh report from Cisco Talos shows.

Wiper attacks against Ukraine were executed in January and February 2022, in coordination with Russia’s assault on the country, with malware such as WhisperGate, HermeticWiper, IsaacWiper and CaddyWiper identified and analyzed. In April, Industroyer2 was used against industrial control systems (ICS).

As Russia intensified its activities in cyberspace, the attacks continued and Ukraine’s largest mobile network operator, Kyivstar, had its IT infrastructure partially destroyed in a December 2023 cyberattack.

Now, Talos says a critical infrastructure entity within Ukraine fell victim to a destructive attack in which new malware, dubbed PathWiper, was used.

The new malware shares similarities with HermeticWiper, which has been attributed to Sandworm, also tracked as Seashell Blizzard, APT44, Iridium, TeleBots, and Voodoo Bear, an APT group associated with GRU, Russia’s military intelligence.

Both wipers, Talos explains, target the master boot record (MBR) and NTFS-related artifacts for corruption, albeit the mechanisms differ. PathWiper seeks all connected drives and volumes, identifies volume labels, and documents valid records, while HermeticWiper simply enumerates physical drives from 0 to 100.

As part of the PathWiper attack, a legitimate endpoint administration framework was used to execute malicious commands and deploy the wiper. The attackers used filenames and actions mimicking those of the utility’s console.

“Any commands issued by the administrative tool’s console were received by its client running on the endpoints. The client then executed the command as a batch (BAT) file, with the command line partially resembling that of Impacket command executions, though such commands do not necessarily indicate the presence of Impacket in an environment,” Talos explains.

When executed, PathWiper attempted to dismount volumes and to replace the contents of file system artifacts with random data, using one thread per drive and volume for each identified path. Targeted artifacts include MBR, $MFT, $MFTMirr, $LogFile, $Boot, $Bitmap, $TxfLog, $Tops, and $AttrDef.

Some of the 2022 wiper attacks against Ukraine were attributed to Cadet Blizzard, an APT operating on behalf of GRU. Last year, the US announced charges against a member of the group.

Related: Kapeka: A New Backdoor in Sandworm’s Arsenal of Aggression

Related: Andrei Tarasov: Inside the Journey of a Russian Hacker on the FBI’s Most Wanted List

Related: Recorded Future Tagged as ‘Undesirable’ in Russia

Related: Google Details Recent Ukraine Cyberattacks