Recent findings from Cisco Talos reveal that a critical infrastructure entity in Ukraine suffered an attack involving an unknown data wiper malware termed PathWiper. The attack utilized an administrative endpoint tool, which suggests that attackers had prior access to the console. This malicious activity appears linked to a Russia-aligned advanced persistent threat actor. PathWiper operates by erasing critical data from connected drives, indicating not only its malicious intent but also a thorough understanding of the victim's operational environment by the attackers.
The attack was instrumented via a legitimate endpoint administration framework, indicating that the attackers likely had access to the administrative console, that was then used to issue malicious commands and deploy PathWiper.
Talos said the commands issued by the administrative tool’s console were received by its client running on the victim endpoints and then executed as a batch (BAT) file.
The attack is assessed to be the work of a Russia-nexus advanced persistent threat (APT) actor based on the tradecraft observed and the overlapping capabilities with destructive malware used in attacks against Ukraine.
Throughout the course of the attack, filenames and actions used were intended to mimic those deployed by the administrative utility’s console, indicating that the attackers had prior knowledge of the console and possibly its functionality within the victim enterprise's environment.
Collection
[
|
...
]