Fresh Strain Of Pro Russian Wiper Flushes Ukrainian Critical Infrastructure

A new strain of wiper malware targeting Ukrainian infrastructure is being linked to pro-Russian hackers, in the latest sign of Moscow’s evolving cyber tactics.

An unspecified critical infrastructure entity in Ukraine was targeted by a never-before-seen wiper strain that researchers at Cisco Talos are calling PathWiper.

Talos said it attributed the attack to a Russia-nexus advanced persistent threat (APT) group, noting tactical similarities with previous pro-Russian operations.

It also said there were commonalities between PathWiper and HermeticWiper, one of the destructive malware strains used at the start of Russia’s invasion of Ukraine in 2022.

Those attacks using HermeticWiper were strongly attributed to Sandworm, a division within Russian intelligence.

Both PathWiper and HermeticWiper attempt to corrupt the master boot record, and NTFS-related artifacts as well, but their corruption mechanisms differ significantly, Talos said.

“PathWiper programmatically identifies all connected, including dismounted, drives and volumes on the system, identifies volume labels for verification, and documents valid records. 

“This differs from HermeticWiper’s simple process of enumerating physical drives from 0 to 100 and attempting to corrupt them.”

Talos said that in discovering PathWiper, the attacker already had control of the critical infrastructure organization’s endpoint administration system, which suggests a certain degree of sophistication.

The researchers didn’t detail the attack in much further depth than that, but with that level of access, PathWiper could have been deployed widely across the organization’s network, causing extensive destruction.

The malware would first enumerate the connected storage media on the endpoint, including the names of physical drives, volume names and paths, and network drive paths (shared and unshared).

“Once all the storage media information has been collected, PathWiper creates one thread per drive and volume for every path recorded and overwrites artifacts with randomly generated bytes,” said Talos. 

“The wiper reads multiple file systems attributes, such as the following from New Technology File System (NTFS). PathWiper then overwrites the contents/data related to these artifacts directly on disk with random data.

“Before overwriting the contents of the artifacts, the wiper also attempts to dismount volumes using the ‘FSCTL_DISMOUNT_VOLUME IOCTL’ to the MountPointManager device object. PathWiper also destroys files on disk by overwriting them with randomized bytes.”

Before Russia’s invasion of Ukraine, seeing a wiper attack in the wild was a relatively rare occurrence – maybe one major incident in a bad year – but their use surged after the war broke out.

Researchers noted six new strains on the loose in the first quarter of 2022, with attacks causing wide-scale disruption beyond their intended targets, including German wind turbines.

The attacks were mainly targeting Ukrainian organizations – a key theme of Russia’s multi-modal war, which saw kinetic attacks on the ground supported by parallel cyberattacks.

However, telecoms biz Viasat was among the more notable victims of pro-Russian wiper attacks. Weeks after its modems were wiped, causing internet access to go down – an incident that was timed with the first days of Russia’s invasion – it confirmed the AcidRain wiper malware was used in the attack.

Wiper use was just one of the many ways in which Russia embraced technology to support its operations on the ground.

DDoS attacks on Ukrainian systems began ten days before the invasion. Wipers were used the day before, and later that day Russia’s psyops began. From texting Ukrainian soldiers directly with demands to surrender, to issuing fake alerts about ATMs failing to operate normally, and using deepfake tech to depict president Volodymyr Zelensky surrendering, Russia’s invasion wrote the new blueprint for beginning wartime in the 21st century.

More than three years later, Putin has still failed to achieve his goal of reintegrating Ukraine into Russian influence, although Russia now controls a fifth of the country’s territory.

Despite Zelensky’s efforts, and much to the Kremlin’s satisfaction, Ukraine has also failed to become a member of NATO – another step Putin sought to prevent with the war. ®

Original Source