As reported by Symantec, there is a recently discovered threat group labeled as Orangeworm, which is initiating focused attacks on large healthcare organizations in the US. Orangeworm was discovered way back in January 2015. It’s been carrying out supply chain attacks to install backdoors on gadgets which big healthcare companies use. Attacked organizations consist of healthcare providers, pharmaceutical companies, manufacturers of medical equipment and IT solution suppliers.
Orangeworm has been targeting various industries including IT, manufacturing, agriculture and logistics. On the outset, it would appear that these establishments do not fall under the classification of healthcare. Nonetheless, most of the businesses were associated with healthcare organizations. For instance, logistics companies provide medical supplies, manufacturers make medical imaging equipment and IT companies work as service providers to healthcare organizations.
Of all the verified Orangeworm attacks, 39% were on companies serving the healthcare market. The attacks appear to be remarkably targeted. It could be safely said that the threat group diligently researched which organizations to strike. Symantec observed that the attacks were on firms from diverse countries, however there were more companies from the United States attacked comprising 17% of the total number. It would appear that the main targets were the big companies operating worldwide in the healthcare sector.
One prevalent feature of the Orangeworm attacks is the devices where they set up the backdoor – mostly medical imaging equipment such as MRI and X-ray machines. A number of attacks targeted equipment that patients utilize when completing consent forms for health-related procedures. When access to the equipment is gained, the attackers then use the Kwampirs backdoor. Various data on the equipment are gathered by the threat actors which include the network shares, saved files and mapped drives. Ultimately, the Kwampirs backdoor is duplicated on other devices via network shares. Devices that are most prone to this kind of attack are those running on Windows XP, including several imaging equipment utilized in the healthcare field.
There’s no evidence found by Symantec that indicate the attack is sponsored by a nation-state. Most likely, a person or a small group of cyber criminals is responsible for the attack. The reason behind the attacks is likewise not known. Possibly the attacker is setting up the backdoor as a preliminary for attacking or stealing individual data from healthcare companies. Symantec hints that the assaults on healthcare firms might be related to corporate espionage.
One mistake that the attackers failed to consider is the ease of being discovered. They utilized a fairly noisy and quick to identify approach to propagate the backdoor laterally. The attackers did attempt to stay away from hash-based detection by placing a random string in the center of the decrypted payload before getting written on the disk. Symantec utilizes Orangeworm indicators of compromise to check if the systems or devices are infected. Healthcare companies ought to use Symantec’s tool to assess their own systems.