New hacker group Orangeworm found targeting healthcare sector, medical devices for corporate espionage

Researchers have discovered a new hacker group named Orangeworm found targeting X-ray machines and magnetic resonance machines in the healthcare sector for espionage. This unknown group of hackers was identified by Symantec. Symantec researchers said the attackers use a custom backdoor trojan called Kwampirs that allows them to remotely access a machine and spread across a local network.

The attack has been leveraged against the systems of large international corporations in the US, Europe and Asia for espionage purposes, Symantec said. Nearly 40% of the targeted victim organizations involved the healthcare industry including healthcare providers, IT solution providers and medical equipment manufacturers and pharmaceutical firms.

"Based on the list of known victims, Orangeworm does not select its targets randomly or conduct opportunistic hacking. Rather, the group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack," Symantec noted. The attackers tended to collect patient data from software installed for use and control of high-tech imaging devices such as X-Ray and MRI machines.

"Orangeworm was observed to have an interest in machines used to assist patients in completing consent forms for required procedures. The exact motives of the group are unclear," they added.

Once Orangeworm infiltrates a targeted victim's network, they deploy the Kwampirs malware to give them remote access to the infected computer. After Kwampirs is executed, it extracts a copy of its main DLL payload from its resource section and inserts a randomly generated string into the middle of the decrypted payload to avoid has-based detection. It also creates a service to make sure the main payload is loaded into system memory upon reboot. The malware cycles through a large list of command and control (C&C) servers and copies itself across the network to avoid discovery.

Researchers said the backdoor also collects information about the infected computer such as basic network adapter information, system version information and language settings likely to to determine if the system is used by a researcher or high-value target.

"Once Orangeworm determines that a potential victim is of interest, it proceeds to aggressively copy the backdoor across open network shares to infect other computers," Symantec said. "At this point, the attackers proceed to gather as much additional information about the victim’s network as possible, including any information pertaining to recently accessed computers, network adapter information, available network shares, mapped drives, and files present on the compromised computer."

Researchers believe Kwampirs uses aggressive means to collect system information from the infected system and spread itself via copies across the network. Although this method is considered old, it could still pose as a serious threat to computers running Windows XP. Indicators of compromise containing the samples of the dropper hashes, C&C servers, payload and file paths were released by Symantec in a separate document.

Jon DiMaggio, a security researcher at Symantec has encouraged businesses to patch legacy systems when possible and split corporate networks into smaller, securer sub-networks through network segmentation to protect themselves from such attacks in the future.