In recent developments, Ukraine’s critical infrastructure has been targeted by a new form of destructive malware known as PathWiper. This malicious software has been deployed against a key Ukrainian organization, marking a continuation of cyber assaults that have plagued the nation since the onset of the conflict with Russia.
Background of Cyber Attacks on Ukraine
Ukraine has been a focal point for cyber warfare, especially since the escalation of tensions with Russia. Notably, in January and February 2022, the country faced a series of wiper attacks coinciding with Russia’s military actions. Malware such as WhisperGate, HermeticWiper, IsaacWiper, and CaddyWiper were identified during this period. These attacks aimed to disrupt and destroy data, crippling various sectors within Ukraine. In April 2022, Industroyer2 was specifically used to target industrial control systems, further highlighting the strategic intent behind these cyber operations.
The cyber onslaught continued, and in December 2023, Ukraine’s largest mobile network operator, Kyivstar, suffered a significant cyberattack that partially destroyed its IT infrastructure. This incident underscored the persistent and evolving nature of cyber threats facing the nation.
Introduction of PathWiper
The latest addition to this series of cyber threats is PathWiper. According to a report from Cisco Talos, this new malware was deployed against a critical infrastructure entity within Ukraine. PathWiper shares similarities with HermeticWiper, a malware previously attributed to the Sandworm group, also known as Seashell Blizzard, APT44, Iridium, TeleBots, and Voodoo Bear. This group is associated with Russia’s military intelligence, the GRU.
Technical Analysis of PathWiper
PathWiper and HermeticWiper both target the master boot record (MBR) and NTFS-related artifacts to corrupt data. However, their mechanisms differ. PathWiper seeks all connected drives and volumes, identifies volume labels, and documents valid records. In contrast, HermeticWiper enumerates physical drives from 0 to 100. This distinction in approach indicates a level of sophistication and adaptation in the development of PathWiper.
In the attack involving PathWiper, the perpetrators utilized a legitimate endpoint administration framework to execute malicious commands and deploy the wiper. They employed filenames and actions that mimicked those of the utility’s console, adding a layer of deception to their operations. Commands issued by the administrative tool’s console were received by its client running on the targeted systems, facilitating the spread and execution of the malware.
Implications and Response
The deployment of PathWiper signifies a continued and evolving cyber threat landscape for Ukraine. The use of wiper malware aims not only to disrupt operations but also to destroy data, making recovery challenging and time-consuming. This tactic aligns with the broader strategy of causing chaos and undermining the stability of critical infrastructure.
In response to these threats, Ukrainian organizations are urged to enhance their cybersecurity measures. This includes implementing robust endpoint protection, regularly updating systems, conducting thorough network monitoring, and educating staff on recognizing and responding to potential cyber threats. International cooperation and support also play a crucial role in bolstering Ukraine’s cyber defenses against such sophisticated attacks.
Conclusion
The emergence of PathWiper as a new cyber weapon targeting Ukraine’s critical infrastructure underscores the persistent and evolving nature of cyber warfare in the region. As threat actors continue to develop and deploy sophisticated malware, it is imperative for organizations to remain vigilant, adopt comprehensive cybersecurity strategies, and foster international collaboration to mitigate the impact of these destructive cyber attacks.
