Previously slithering beneath the radar of security researchers, newly identified hacker group Orangeworm has surfaced as a problem for the healthcare sector. Symantec Telemetry noted that the group has infected only a small number of victims. It largely goes after healthcare more than any other industry, with the majority of its victims (17%) located in the US.
The hacker group has been targeting organizations across several industries since 2015, though it is deliberate and methodic in choosing their victims. According to Symantec, almost 40% of their victims are comprised of healthcare providers, pharmaceuticals, IT solution providers for healthcare and healthcare industry equipment manufacturers.
In addition to companies in the US, several organizations throughout Europe have been targeted, with the largest (5%) numbers in the UK and Hungary. Saudi Arabia, India and the Philippines have reported higher rates of victims, yet the location of 10% of those attacked remains unknown.
Once the group gained access to the victim's environment, the attackers executed a range of commands that allowed them to gather a wide range of information. Commands include displaying recently contacted addresses per available network interface, system version information, IP address configuration information for any available network interfaces and account policy and network configuration information.
They then deployed a backdoor Trojan that installed Kwampirs malware. Symantec wrote, "The Kwampirs malware was found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. Additionally, Orangeworm was observed to have an interest in machines used to assist patients in completing consent forms for required procedures. The exact motives of the group are unclear."
Though an older method, Kwampirs aggressively self-propagates, which has proven to be a viable attack method on legacy systems, common across the healthcare industry. It's interesting to note that copying itself over network shares and cycling through the extensive command-and-control (C&C) servers are what Symantec considers noisy, suggesting that Orangeworm wasn't really worried about being detected.
"Symantec says it does not have any information that could help determine the threat group’s origins, but the company believes Orangeworm is likely conducting corporate espionage," Security Week reported.
After analyzing the attacks over the last several years that Orangeworm has been active, Symantec believes that this is either an individual or a small group, not a state-sponsored actor.