According to Symantec, there’s a recently identified threat group called Orangeworm, which is launching targeted attacks on big healthcare companies in the United States. Orangeworm was first discovered in January 2015. It has been doing supply chain attacks for the purpose of installing backdoors on devices that large healthcare firms use. Attacked companies include healthcare providers, pharmaceutical firms, medical equipment manufacturers and IT solution providers.
Orangeworm has been attacking different industries such as manufacturing, IT, agriculture and logistics. At first glance it would seem that these companies are not under the category of healthcare. However, many of the companies were linked to healthcare companies. For example, logistics companies deliver medical supplies, manufacturers make medical imaging devices and IT firms act as service providers to healthcare companies.
Of all the confirmed Orangeworm attacks, 39% were on firms working in the healthcare industry. The attacks seem to be highly targeted. It can be safely said that the threat group carefully researched which companies to attack.
Symantec noted that the attacks were on companies from different countries, but there were more companies attacked from the U.S. accounting for 17% of the total number. It would seem that the primary targets were the large firms operating internationally in the healthcare industry.
One common feature of the attacks is the devices on which the backdoor was installed – medical imaging devices like MRI and X-ray machines. Some attacks targeted machines that patients use when filling up consent forms for medical procedures. When access to the machine is obtained, the attackers then deploy the Kwampirs backdoor. Different information on the device are collected by the threat actors including the network shares, stored files and mapped drives. Eventually, the Kwampirs backdoor gets copied to other machines through network shares. Machines that are most vulnerable to this type of attack are those that run on Windows XP, such as the many imaging devices used in the healthcare industry.
Symantec hasn’t found any evidence that suggest the attack is nation-state sponsored. It is likely that a person or a small group of hackers is behind the attack. The reason for the attacks is also unknown. Perhaps the attacker is installing the backdoor in preparation for attacking or stealing patient data from healthcare organizations. Symantec suggests that the attacks on healthcare firms have something to do with corporate espionage.
One pitfall that the attackers did not concern themselves with is the ease of being detected. They used a rather noisy and easy to identify method to spread the backdoor laterally. The attackers did try to avoid hash-based detection by inserting a random string into the middle of the decrypted payload before being written on the disk.
Symantec uses Orangeworm indicators of compromise to see if the networks or machines are infected. Healthcare organizations are encouraged to use Symantec’s tool to analyze their own networks.