A new strain of wiper malware targeting Ukrainian infrastructure is being linked to pro-Russian hackers, in the latest sign of Moscow’s evolving cyber tactics.
An unspecified critical infrastructure entity in Ukraine was targeted by a never-before-seen wiper strain that researchers at Cisco Talos are calling PathWiper.
Talos said it attributed the attack to a Russia-nexus advanced persistent threat (APT) group, noting tactical similarities with previous pro-Russian operations.
It also said there were commonalities between PathWiper and HermeticWiper, one of the destructive malware strains used at the start of Russia’s invasion of Ukraine in 2022.
Those attacks using HermeticWiper were strongly attributed to Sandworm, a division within Russian intelligence.
Both PathWiper and HermeticWiper attempt to corrupt the master boot record, and NTFS-related artifacts as well, but their corruption mechanisms differ significantly, Talos said.
“PathWiper programmatically identifies all connected, including dismounted, drives and volumes on the system, identifies volume labels for verification, and documents valid records.
“This differs from HermeticWiper’s simple process of enumerating physical drives from 0 to 100 and attempting to corrupt them.”
Talos said that in discovering PathWiper, the attacker already had control of the critical infrastructure organization’s endpoint administration system, which suggests a certain degree of sophistication.
The researchers didn’t detail the attack in much further depth than that, but with that level of access, PathWiper could have been deployed widely across the organization’s network, causing extensive destruction.
The malware would first enumerate the connected storage media on the endpoint, including the names of physical drives, volume names and paths, and network drive paths (shared and unshared).
“Once all the storage media information has been collected, PathWiper creates one thread per drive and volume for every path recorded and overwrites artifacts with randomly generated bytes,” said Talos.
“The wiper reads multiple file systems attributes, such as the following from New Technology File System (NTFS). PathWiper then overwrites the contents/data related to these artifacts directly on disk with random data.
“Before overwriting the contents of the artifacts, the wiper also attempts to dismount volumes using the ‘FSCTL_DISMOUNT_VOLUME IOCTL’ to the MountPointManager device object. PathWiper also destroys files on disk by overwriting them with randomized bytes.”
Before Russia’s invasion of Ukraine, seeing a wiper attack in the wild was a relatively rare occurrence – maybe one major incident in a bad year – but their use surged after the war broke out.
Researchers noted six new strains on the loose in the first quarter of 2022, with attacks causing wide-scale disruption beyond their intended targets, including German wind turbines.
The