A recently reported cyberattack has seen a new type of malware, dubbed PathWiper, employed against vital services in Ukraine. The incident was analyzed by cybersecurity experts at Cisco Talos, who have shared their insights with the broader security community.
Wiper malware, such as PathWiper, is specifically crafted to erase or corrupt data within computer systems. In this incident, attackers infiltrated a legitimate system responsible for managing computer networks. This level of access suggests that the criminals had intimate knowledge of the system, enabling them to deliver damaging commands and propagate the PathWiper malware throughout connected devices.
Cisco Talos noted that the filenames and actions used during the cyberattack closely mirrored those of the administrative utility’s console, indicating a sophisticated understanding of the console’s operations and its role within the targeted organization.
The malware operates by replacing critical components of a computer’s file system with random data. PathWiper systematically scans for all attached storage devices—ranging from hard drives to network drives—and overwrites their data. To evade detection, the attackers designed their actions to resemble routine operations of the network management tool.
Talos analysts suggest that this attack bears the hallmarks of a Russian-backed Advanced Persistent Threat (APT) actor. Their assessment is based on similarities to previous attacks employing comparable techniques, as well as the capabilities demonstrated by PathWiper, which have emerged in other assaults on Ukrainian organizations.
Comparative Analysis of Wiper Malware
PathWiper has notable similarities to another wiper malware, HermeticWiper, which also targeted Ukrainian entities in 2022. Both types of malware focus on damaging integral components of a computer’s storage, such as the Master Boot Record (MBR) and files associated with the New Technology File System (NTFS).
A distinct difference lies in the operational sophistication of PathWiper. This malware meticulously identifies connected drives—even those that are temporarily disconnected—verifying them prior to executing the wipe. In contrast, HermeticWiper employs a more straightforward approach, attempting to corrupt a broader range of physical drives without such selective targeting.
This attack underscores the ongoing risks to Ukraine’s critical infrastructure amid continued conflict with Russia. As such, organizations are strongly urged to implement robust security measures, including endpoint protection, email security, firewalls, and malware analysis. These security solutions play a vital role in detecting malicious activities, capturing harmful emails and websites, and ensuring multi-factor authentication to restrict access to authorized users only.
