Posted in Breaches

Hacker group attacking entire ecosystems of major healthcare providers

Chris Nerney
Chris Nerney, Contributing Writer |
Hacker group attacking entire ecosystems of major healthcare providers

For the past three years a meticulous hacker group has been installing backdoor malware into the networks and equipment of large international companies within the healthcare sector, a major digital security firm reports.
While the attack group, dubbed Orangeworm, also has infiltrated other industries, 39 percent of its known victims operate within the healthcare sector, Symantec said Monday. These include healthcare providers, pharmaceuticals, healthcare IT vendors and equipment manufacturers that serve the healthcare industry.
“Based on the list of known victims, Orangeworm does not select its targets randomly or conduct opportunistic hacking,” Symantec said in a statement. “Rather, the group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack.”
Though Orangeworm victims have been identified in 24 countries, the most by far (17 percent) have been in the U.S., followed by India and Saudi Arabia at 7 percent each.
Orangeworm was first identified in January 2015. Its modus operandi is to install a custom backdoor called Trojan.Kwampirs in the victim’s network, using social engineering and known vulnerabilities to gain entry. In the latter case, that means taking advantage of the legacy systems still deployed by many healthcare providers.
“Kwampirs uses a fairly aggressive means to propagate itself once inside a victim's network by copying itself over network shares,” Symantec said. “While this method is considered somewhat old, it may still be viable for environments that run older operating systems such as Windows XP. This method has likely proved effective within the healthcare industry, which may run legacy systems on older platforms designed for the medical community. Older systems like Windows XP are much more likely to be prevalent within this industry.”
The security company said the Kwampirs malware has been found on machines which had software installed for using and controlling imaging devices such as X-ray and MRI machines. Orangeworm also appears to be interested in machines that help patients complete consent forms for required procedures.
The exact motives and identity of Orangeworm are unclear, though Symantec said it doesn’t believe “the group bears any hallmarks of a state-sponsored actor—it is likely the work of an individual or a small group of individuals.”
Symantec has issued “indicators of compromise” for healthcare IT security professionals to help determine if their network has been attacked by Orangeworm.