A new cyber threat, PathWiper, has emerged, targeting Ukrainian critical infrastructure and tied to pro-Russian hackers. Cisco Talos researchers indicate tactical similarities between PathWiper and HermeticWiper, used earlier in the Russian invasion. PathWiper's sophisticated approach includes analyzing connected drives and performing destructive actions, unlike HermeticWiper's more rudimentary methodology. This targeted attack implies that the threat actors had substantial control over the infrastructure's endpoint systems. These developments emphasize an evolving landscape of cyber warfare tactics employed by Russia against Ukraine's critical systems.
PathWiper programmatically identifies all connected, including dismounted, drives and volumes on the system, identifies volume labels for verification, and documents valid records. This differs from HermeticWiper's simple process of enumerating physical drives from 0 to 100 and attempting to corrupt them.
The attacker already had control of the critical infrastructure organization's endpoint administration system, which suggests a certain degree of sophistication.
Both PathWiper and HermeticWiper attempt to corrupt the master boot record, and NTFS-related artifacts as well, but their corruption mechanisms differ significantly.
Researchers at Cisco Talos are calling it PathWiper and attributed it to a Russia-nexus advanced persistent threat (APT) group, noting tactical similarities with previous pro-Russian operations.
Collection
[
|
...
]