Orangeworm Gang Stealing Healthcare Data Since 2015

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

Healthcare trojan found on X-ray and MRI machines after three year campaign by Orangeworm gang, Symantec warns

Symantec has discovered a criminal gang has been actively targetting the healthcare sector and related industries over a three year period.

The gang, which Symantec is calling ‘Orangeworm’, utilises the Kwampirs backdoor and chooses “its targets carefully and deliberately, conducting a good amount of planning before launching an attack.”

Symantec warned that the Kwampirs malware is remotely accessing medical equipment such as X-Rays and MRI machines, potentially putting people’s medical data at risk.

© Monika Wisniewska - Fotolia.com

Healthcare attack

Symantec said it had observed the group “installing a custom backdoor called Trojan.Kwampirs within large international corporations that operate within the healthcare sector in the United States, Europe, and Asia.”

It said that Orangeworm had first been identified back in January 2015, and its known victims include healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry.

It believes the gang’s purpose is likely for corporate espionage, and is not a nation-state actor.

“According to Symantec telemetry, almost 40 percent of Orangeworm’s confirmed victim organisations operate within the healthcare industry,” said the security specialist. “The Kwampirs malware was found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. Additionally, Orangeworm was observed to have an interest in machines used to assist patients in completing consent forms for required procedures. The exact motives of the group are unclear.”

Most of the victims are in the US (with 17 percent), but the victims span countries across the world. It is reported that 5 percent of Orangeworm’s global victims are based in the UK.

“We believe that these industries have also been targeted as part of a larger supply-chain attack in order for Orangeworm to get access to their intended victims related to healthcare,” said Symantec. “Orangeworm’s secondary targets include Manufacturing, Information Technology, Agriculture, and Logistics.”

“While these industries may appear to be unrelated, we found them to have multiple links to healthcare, such as large manufacturers that produce medical imaging devices sold directly into healthcare firms, IT organisations that provide support services to medical clinics, and logistical organizations that deliver healthcare products,” it said.

Symantec said that once Orangeworm has infiltrated a victim’s network, they deploy Trojan.Kwampirs backdoor Trojan that provides them with remote access to the compromised computer.

“Orangeworm likely uses this information to determine whether the system is used by a researcher or if the victim is a high-value target,” said Symantec. “Once Orangeworm determines that a potential victim is of interest, it proceeds to aggressively copy the backdoor across open network shares to infect other computers.”

“At this point, the attackers proceed to gather as much additional information about the victim’s network as possible, including any information pertaining to recently accessed computers, network adapter information, available network shares, mapped drives, and files present on the compromised computer,” the firm said.

“While Orangeworm is known to have been active for at least several years, we do not believe that the group bears any hallmarks of a state-sponsored actor – it is likely the work of an individual or a small group of individuals,” said Symantec. “There are currently no technical or operational indicators to ascertain the origin of the group.”

Legacy kit

One expert expressed concern at Orangeworm’s access to patient data, and the issue of legacy systems that do not contain the latest cyber defences.

“Aside from the fact that Orangeworm is accessing extremely sensitive patient data, the most troubling part of this story is that the attack has been ongoing since January 2015,” commented Simon Townsend, CTO at Ivanti.

“That’s over three years that the malware has been successfully exploiting systems that are running on legacy and older operating systems,” he said. “The Centre for Internet Security releases cybersecurity controls regularly with thorough advice on how to defend against these sorts of attacks. Yet the ongoing proliferation of cybercrime that looks to exploit vulnerable technologies shows that these guidelines aren’t being wholly followed by many organisations.”

“Basic cybersecurity defences such as patching, application control, and removal of administrative privileges all help reduce risks like malware from executing on organisations’ environments in the first place,” said Townsend. “It is my hope that upcoming regulations such as the GDPR and NIS Directive, which encourage compliance with data privacy and cybersecurity laws by threatening organisations with immense fines, finally force us all to sit up and take note of the security threatscape. Many of the high profile attacks of the last year, the NotPetyas and WannaCrys, could have largely been fended off with back to basics cybersecurity controls.

Townsend pointed that while the NHS has recently signed a new agreement with Microsoft to upgrade all machines to Windows 10, it doesn’t mean that they need to take their foot of the gas when it comes to cybersecurity defences, Townsend cautioned.

Do you know all about security? Try our quiz!

Read also :