Cisco Talos researchers have uncovered yet another destructive attack on critical infrastructure in Ukraine. This time, it involves a previously unknown data-wiping malware they’ve dubbed “PathWiper” – and it’s got all the hallmarks of Russian involvement.
Attackers managed to hijack an endpoint administration framework – the very tools meant to keep systems secure – and turned it against its owners. According to Talos, these cyber assailants likely gained access to an administrative console before using it to deploy their destructive payload across connected systems.
Cisco Talos attributed the attack to a Russian-linked advanced persistent threat group with “high confidence” – security-speak for being almost certain. The tactics align perfectly with previous Russian cyberattacks targeting Ukraine’s critical infrastructure and its private organisations since the invasion began.
Wolf in admin clothing
What makes this attack devious is how the attackers deployed their malware. Rather than using obvious malicious techniques, they sent commands through the already-compromised administrative console—commands that would look relatively normal to anyone monitoring network traffic.
The attack choreography was meticulously planned. First came a malicious VBScript file called ‘uacinstall.vbs’, pushed through the administrative tool. When executed, this script deployed the actual PathWiper executable, deceptively named ‘sha256sum.exe’ to blend in with legitimate system utilities.
Perhaps most concerning is that the attackers knew their way around the victim’s systems. They deliberately mimicked legitimate filenames and actions typically used by the administration utility. This suggests they’d been lurking in the network for some time, watching and learning before launching their attack.
PathWiper isn’t subtle about its intentions. Once activated, it systematically destroys everything in its path, replacing critical file system components with random gibberish data. The end result? Completely unusable systems.
First, it builds a comprehensive catalogue of every storage device connected to the infected computer including physical drives, network shares, and even previously disconnected network locations. Nothing escapes its attention.
Then the real destruction begins. PathWiper creates separate processing threads for each identified storage device and targets essential file system structures. It’s particularly thorough with NTFS components, overwriting the Master Boot Record, Master File Table, log files, and other vital system bits with random bytes.
Before executing this digital vandalism, PathWiper attempts to dismount volumes using specialised system calls—a technique that helps it bypass certain protections and maximise damage. The thoroughness makes recovery virtually impossible without pristine backups stored well away from the affected network.
PathWiper and HermeticWiper: A malware family resemblance
Security researchers at Cisco Talos noted similarities between PathWiper and another destructive malware variant, HermeticWiper, which wreaked havoc on Ukraine’s critical infrastructure and private organisations in 2022.
HermeticWiper (also known as FoxBlade or NEARMISS) has been linked to Russia’s notorious Sandworm hacking group by various security firms. Both malware strains attempt to corrupt the same critical system components, suggesting either shared development resources or inspiration.
But PathWiper represents an evolution in sophistication. While HermeticWiper bluntly tries to corrupt drives by simply counting from 0 to 100, PathWiper takes a more intelligent approach by identifying all connected drives (including hidden ones), verifying volume labels, and carefully documenting valid targets before launching its attack.
The digital front continues
Russian-backed hackers show no signs of abandoning the cyber front. PathWiper’s discovery underscores the relentless digital threat facing critical infrastructure in Ukraine more than three years into Russia’s invasion.
For Ukrainian organisations – particularly those managing critical services like energy, water and telecoms – the message is clear: maintain vigilance, implement robust backup procedures, and segment networks to limit the spread of such attacks.
The broader implication for organisations worldwide is equally sobering. Critical infrastructure remains firmly in attackers’ crosshairs, with state-backed groups continuously refining their digital weapons.
The cyber battlefield continues to evolve, with each new malware variant revealing something about the future of digital conflict. PathWiper may be today’s concern, but tomorrow will inevitably bring new challenges as this digital arms race continues.
(Photo by Leonhard Niederwimmer)
See also: UK cyber unit will target hostile states: Can defences cope?
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including Digital Transformation Week, IoT Tech Expo, Blockchain Expo, and AI & Big Data Expo.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
👇Follow more 👇
👉 bdphone.com
👉 ultractivation.com
👉 trainingreferral.com
👉 shaplafood.com
👉 bangladeshi.help
👉 www.forexdhaka.com
👉 uncommunication.com
👉 ultra-sim.com
👉 forexdhaka.com
👉 ultrafxfund.com
👉 bdphoneonline.com
👉 dailyadvice.us