April 26, 2018 | By Panagiotis Kintis
For the past few years, a new attack group, dubbed "Orangeworm," has been deploying malware that is found to target the healthcare sector around the world. According to Symantec, the hacker group has been targeting organizations as part of a broader supply-chain attack against the healthcare industry. After a network has been infiltrated, a trojan named Kwampirs is being used by the attackers to collect information about the compromised hosts. If the hosts are of interest to Orangeworm, the malware starts deploying itself to other hosts in the same network, trying to gain access to as many systems as possible. Unsurprisingly, the malware was identified on devices that control high-tech medical equipment, like X-Ray and MRI machines, and several terminals used by patients.
IISP Analyst Panagiotis Kintis: "The highly targeted nature of the attack shows that adversaries are not only using sophisticated techniques to facilitate Advanced Persistent Threats (APT) to one -- or a few -- targets, but they have started focusing their efforts on broader sectors. This time, we see a group attacking an entire industry on three different continents and trying to take control of computer systems that operate highly sophisticated medical equipment. The healthcare sector is part of the critical Infrastructure and compromises can be devastating.
While we have seen attacks focusing on the critical infrastructure before, they have been limited to a few businesses within one or more sectors. The novelty of Orangeworm's operation demonstrates that even broader attacks can be rendered against arbitrary targets to affect an entire industry. Moreover, according to Symantec's assumption of a supply-chain targeting model, we might be witnessing adversaries who are determined to maximize their damage across a sector.
This is one of the few cases were even a small attack against a sector like healthcare can have disastrous outcomes for individuals, even when they do not operate a computer. Computer terminals used by patients at hospitals can leak private information, including medical records and insurance or banking information. This can easily lead to insurance and banking fraud, even identity theft. Unfortunately, such attacks grow even worse: X-Ray and MRI machines that are rendered unusable can result in the loss of lives when the equipment is critical for patient care. One can argue that backup and contingency plans should be or are in place. However, as long as computer systems are involved in the way healthcare professionals perform, there is always a potential for failure. We saw that Orangeworm made sure to take control of as many systems as possible within a network.
Advanced threats and attacks, like the one described, need to be identified and mitigated as soon as possible. At this point we are talking about the possibility of losing human lives. If a small group of hackers can render such attacks, I cannot imagine what a state-sponsored actor could potentially do."
For further reading
- Symantec: https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia
- The Register (UK): https://www.theregister.co.uk/2018/04/24/orangeworm_medical_malware/
- Daily Mail (UK): http://www.dailymail.co.uk/sciencetech/article-5652197/Hackers-target-hospital-X-ray-MRI-machines-Orangeworm-global-malware-attack.html
- Threat Port: https://threatpost.com/orangeworm-mounts-espionage-campaign-against-healthcare/131381/