A newly discovered malware named PathWiper has been used in a cyberattack that seriously impacted a critical infrastructure facility in Ukraine. According to cybersecurity researchers at Cisco Talos, this malware wasn’t launched through traditional hacking techniques but was delivered using a legitimate endpoint management system. This means the attackers likely had administrator-level access, which allowed them to issue harmful commands disguised as routine operations. These commands secretly triggered a malicious script, which then installed and ran the destructive PathWiper executable on multiple systems within the network.
Once activated, PathWiper searches for all types of storage volumes, including physical disks, logical drives, and network shares—even those that aren’t currently active. It uses system-level functions and registry lookups to locate and map every attached storage unit. Then, in a highly organized fashion, the malware launches a separate operation thread for each discovered volume and begins overwriting critical parts of the file system with random data. Among the targeted components are essential elements like the Master Boot Record (MBR), NTFS file table ($MFT), and system log files ($LogFile). Before the overwrite begins, the malware tries to dismount the volumes, a tactic that prevents the system from locking files and increases the success rate of the damage.
Security analysts noted that PathWiper is more advanced than previous wiper malware used in attacks against Ukraine, such as HermeticWiper, which was active in 2022. Unlike HermeticWiper—which indiscriminately targeted a wide range of drives—PathWiper carries out a careful validation process, ensuring each drive and volume is real and valid before initiating destruction. This method increases the malware’s efficiency and precision. Based on the tactics, code behavior, and delivery method, Cisco Talos attributes this attack to a Russia-linked advanced persistent threat (APT) group, citing similarities with past operations carried out by Russian state-sponsored attackers, particularly the Sandworm group.
This event marks yet another chapter in the ongoing cyber conflict between Russia and Ukraine, with attackers becoming more strategic and stealthy. Experts stress that such incidents highlight the dangers of trusted IT tools being misused for cyber sabotage. To protect against these types of threats, organizations are urged to implement strict access controls, regularly audit administrator activity, segment their networks, and configure endpoint monitoring systems to flag unusual behavior. It’s also critical to maintain secure, offline backups that can help restore services after a wipeout like this.
The discovery of PathWiper sends a strong warning to both public and private sectors: even legitimate internal systems can be hijacked and weaponized if proper cybersecurity controls are not in place. As cyber threats continue to evolve and target vital services, staying ahead with proactive defense strategies is no longer optional, it’s essential.
Stay informed. Stay secure.
—Cybersecurity88 Editorial Team
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
