A new hacking group that primarily targets healthcare organizations on a worldwide basis has been identified by security researchers, and dubbed Orangeworm. Its name stems from the type of malware that it targets hospitals with, aimed at remotely accessing medical equipment such as MRI and X-ray machines. It also goes after machines that help patients complete consent forms for required procedures.
Cybersecurity firm Symantec says that Orangeworm has been active since January 2015 at least, with most of its victims (17%) based in the U.S.
While healthcare is the primary target, other related industries have also been targeted as part of a larger supply-chain attack. Symantec said other known victims include healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry. Symantec posits that the motivation is “likely for the purpose of corporate espionage”.
Sara Jost, Global Healthcare Industry Lead, BlackBerry, told DigitalHealth.net that the hacking group appeared to be selecting its targets “carefully and deliberately.”
She said, “From a criminal’s perspective, healthcare records are a golden goose. They contain all the information necessary for medical identity fraud, an extremely lucrative crime. And they sell for up to ten times the price of stolen credit card numbers on the black market.”
The group uses the Kwampirs Trojan to access IT systems. It has been observed installing the backdoor Trojan within large international corporations in the healthcare space before gathering information on its host.
Kwampirs employs a relatively aggressive means of propagating itself once inside a network by copying itself over network shares. This method is fairly old, but it is likely still viable for environments that run older operating systems such as Windows XP. The healthcare industry often runs legacy systems on older platforms, like Windows XP.
Once infected, the malware cycles through a long list of command and control (C&C) servers embedded within itself. While the list is extensive, not all of the C&Cs are active, however. Despite altering a small part of itself while copying itself across the network as a way of avoiding detection, the operators have not attempted to modify the C&C communication protocol since its first inception.
According to Symantec, these methods are considered “noisy” approach strategies that “may indicate that Orangeworm is not overly concerned with being discovered”. The researchers added, “The fact that little has changed with the internals of Kwampirs since its first discovery may also indicate that previous mitigation methods against the malware have been unsuccessful, and that the attackers have been able to reach their intended targets despite defenders being aware of their presence within their network.”
Orangeworm is not suspected of being a state-sponsored actor, but rather the work of an individual or small group. Researchers have not been able to find identifying technical or operational signs that might suggest the group’s origin.