A new attack group - Orangeworm - targeting the healthcare sector and related industries has been spotted by security researchers from Symantec.
Malware infections have even been spotted on high-tech imaging devices such as X-ray and MRI machines.
The group has been spotted installing a custom backdoor called Trojan.Kwampirs in large international corporations that operate within the healthcare sector in the United States, Europe, and Asia. Not satisfied with targeted attacks on healthcare providers themselves, the group has also been conducting a wider supply-chain attack in order to reach their intended victims, infiltrating pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry to boot. However, almost 40 percent of Orangeworm's confirmed victims operate within the healthcare industry.
Alan Neville, threat researcher, Symantec told SC Media UK: “The careful and deliberate targeting by Orangeworm suggests that the group may be somewhat well organised, interested in specific information. The fact we don't observe any “collateral” infections suggests the group have conducted some amount of planning in order to gain a foothold into organisations of interest. Once Orangeworm gains a foothold into an organisation, it attempts to spread itself to any available machine by copying itself across network shares as a means to remain active within the infected network. By indiscriminately copying itself to any available machine, it's more likely to be noticed by security teams within affected organisations and thus is considered “noisy”.”
The researchers believe that the ultimate aim of Orangeworm is corporate espionage, pointing out that the X-ray and MRI machine infections did not appear to be accessing or copying image files, but more focussed on the inner workings of the devices. Orangeworm was also spotted - somewhat ominously - investigating machines used to assist patients in completing consent forms for required procedures.
Javvad Malik, security advocate, AlienVault, told SC Media UK: “There is an element of shared responsibility that healthcare organisations need to accept with regard to connected medical devices. Even if a manufacturer implements adequate security controls, the healthcare organisation will likely still need to ensure it remains secure in their environment. Additionally, healthcare organisations should ask the question of manufacturers around security, requiring them to provide evidence of secure manufacturing processes and independent third party testing of security. Along with these steps, it is vital that healthcare organisation have adequate monitoring controls in place to detect when a device is inappropriately accessed.”
A full list of Orangeworm IOCs can be found here https://content.connect.symantec.com/sites/default/files/2018-04/Orangeworm%20IOCs.pdf