Another data wiper found in Ukrainian critical infrastructure
Newly identified wiper malware has been used to attack a critical infrastructure facility in Ukraine, researchers said, attributing the incident to a Russian state-linked hacking group.
The malware, dubbed PathWiper, is designed to destroy data by overwriting files with random information, making recovery impossible. Cybersecurity firm Cisco Talos said the attackers had deep access to the victim’s internal systems and used administrative tools to mimic legitimate activity while deploying the malicious code.
The researchers did not disclose which Ukrainian infrastructure was affected or the extent of the damage.
PathWiper bears similarities to HermeticWiper, a destructive tool deployed against Ukrainian targets at the outset of Russia’s full-scale invasion in 2022. HermeticWiper, also known as FoxBlade, was attributed to Russia’s Sandworm hacking group and was used to disable systems at government agencies and critical services hours before Russian troops crossed the border.
Unlike HermeticWiper, which blindly scans for and destroys data across all drives, PathWiper operates more selectively — scanning and validating drives before executing the data-wiping process, researchers said. This precision may indicate that the attackers had detailed knowledge of the targeted environment.
The attack comes amid a broader shift in Russian cyber operations. In a recent report, Ukraine’s State Service of Special Communications and Information Protection (SSSCIP) said Russian hackers have increasingly turned away from large-scale destructive attacks in favor of espionage campaigns and supply chain compromises.
Instead of directly attacking critical infrastructure, attackers are increasingly targeting the supply chain — compromising suppliers and developers of specialized software. This approach has allowed them to remain undetected while gaining access to critical systems through less secure third-party vendors, researchers said.
SSSCIP did not respond to a request for comment on the PathWiper attack.
Cisco Talos warned that the continued evolution of wiper malware reflects the persistent threat facing Ukraine’s infrastructure more than two years into the war.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.