New Threats to Ukrainian Critical Infrastructure: The Emergence of PathWiper Malware
In a significant escalation in the ongoing cyber conflict, researchers from Cisco Talos have identified a new data-wiping malware named PathWiper specifically targeting critical infrastructure in Ukraine. This alarming discovery sheds light on not only the sophistication of the methods used in these attacks but also the broader geopolitical implications.
Attack Methodology
The PathWiper attack was executed using a legitimate endpoint administration tool, suggesting that the attackers gained unauthorized access to an administrative console. This allowed them to issue malicious commands and deploy the malware across various endpoints. According to an analysis by Cisco Talos’ team, including researchers Jacob Finn, Dmytro Korzhevin, and Asheer Malhotra, the process began with commands issued via this administrative framework. These commands were then executed as BAT files on the targeted computers.
Execution Phase
The BAT file initiated a Visual Basic Script (VBScript) named "uacinstall.vbs," which was stored in the Windows TEMP folder. This script further dropped the main wiper binary, labeled "sha256sum.exe," in the same location and executed it. Talos noted that the choice of filenames and actions closely mirrored those normally employed by the administrative tool, indicating that the attackers had significant knowledge of the victim’s operational environment.
Data Destruction Capabilities
Once activated, PathWiper systematically collects information on all connected storage devices, including both physical and network drives. It then overwrites critical components like the Master Boot Record (MBR) and various NTFS artifacts with random bytes, effectively rendering files irretrievable. This data destruction process is comprehensive and includes essential system components such as the $MFT (Master File Table) and $LogFile, which are crucial for system recovery.
Comparison with Other Malware
PathWiper shares some characteristics with previously identified wiper malware like HermeticWiper, linked to Russia’s military actions against Ukraine. While both malware types aim to corrupt critical disk structures, they differ in the specific methods of execution and data corruption tactics. The ongoing evolution of these malware variants illustrates the sustained threat to Ukraine’s critical infrastructure amid the protracted war.
New Threats from Silent Werewolf
Adding another layer to the threat landscape, Russian cybersecurity firm BI.ZONE recently uncovered campaigns from a cyber espionage group known as Silent Werewolf. These incursions targeted businesses in Moldova and Russia, suggesting a broader regional strategy. Using phishing emails containing ZIP file attachments, the attackers prompted victims to activate malicious payloads.
Technical Execution
The malware campaign involved several layers of deception. Initial emails contained a ZIP file with an LNK file designed to launch nested malicious archives. This process ultimately led to the execution of a rogue DLL that facilitated further malware downloads. BI.ZONE noted that the adversaries conduct checks on their targets, allowing them to adapt their payloads based on the system’s characteristics.
Pro-Ukrainian Hacktivist Threats
In a contrasting narrative, pro-Ukrainian hacktivist groups like BO Team have also intensified their operations against Russian entities. Identified by cybersecurity experts at Kaspersky, this group has targeted state-owned companies within sectors such as technology and telecommunications. Their methods include deploying known malware and employing advanced post-exploitation techniques.
Tactical Approaches
BO Team is characterized by its use of phishing techniques that introduce malware like DarkGate and BrockenDoor. Once inside the network, the group does not shy away from exploiting data encryption and ransomware tactics to extort victims. They have a unique approach, often employing a wide range of malware to inflict maximum damage.
The group’s activity is not random; they have demonstrated a capacity for persistent network access and lateral movement using RDP and SSH protocols. This relentless approach places them among the more formidable threats in the ongoing cyber conflict.
Conclusion
The landscape of cyber warfare in the context of the Russia-Ukraine conflict is rapidly evolving, marked by sophisticated malware attacks targeting both critical infrastructure and private enterprises. As PathWiper and other threats like Silent Werewolf and BO Team continue to emerge, it is clear that the ramifications of these cyber operations extend far beyond the digital realm, impacting essential services and raising significant security concerns for the region. Each incident further underscores the importance of robust cybersecurity measures in mitigating the risk posed by these advanced persistent threats.
