Orangeworm Mounts Espionage Campaign Against Healthcare

A freshly minted attack group dubbed Orangeworm has been uncovered, deploying a custom backdoor in mostly healthcare-related environments. It’s bent on laser-focused, comprehensive corporate espionage, with a noisy attack vector that shows that it’s unlikely to be related to nation-state actors.

Researchers first found Orangeworm in the form of an interesting binary in 2016, and looking further it discovered a unique backdoor with capabilities for remote access and malware downloads. Symantec, which first identified Orangeworm, developed a unique signature to track it, and has found that after a period of low activity, it has emerged this year as an ongoing and active campaign affecting almost 100 organizations.

Researchers observed the group installing the backdoor within large international healthcare corporations in the United States, Europe and Asia (the US accounts for the largest number of victims, at 17 percent). Dubbed Kwampirs, the malware lurks in medical devices (including high-tech imaging gear such as X-ray devices and MRI machines); network shares and servers; and platforms that assist patients in completing consent forms for required procedures.

Interestingly, it also goes after the larger supply chain surrounding the end targets, including pharmaceutical companies, IT solution providers for healthcare and equipment manufacturers. It’s even set its sights on specialized organizations, such as a company that makes labels that go on prescription bottles.

“This group is clearly organized, with strong motivations and the capability for developing sophisticated malware,” said Jon DiMaggio, senior threat intelligence researcher at Symantec, in an interview. “What they do is clearly aimed at collecting information across the entire healthcare supply chain of their targets. You don’t really see that. What we’re seeing is corporate espionage, not for the sake of sabotage or destruction of equipment, and not for financial gain.”

The attackers cast a wide net and then choose high-value targets out of the sample – there’s nothing random or opportunistic about their efforts. From there, they “spend an immense amount of time trying to learn the ins and outs of the target’s systems, including seeking out directories, finding out what everything’s connected to, finding open shares,” explained DiMaggio. “This is speculation, but if they had source code or pirated technology, it would fit the story and would explain why they’re so interested in how things operate. But that’s just a theory.”

Kwampirs propagates using an easily detected worm-like behavior where it replicates across unprotected network shares in old Windows networks, which are something that healthcare environments have an overabundance of. Older systems like Windows XP are common in healthcare environments – so much that even new vertical-specific software is being written for XP by adversaries, thanks to its ease of use and install base, DiMaggio pointed out.

The threat points out the weak spots in play when it comes to the healthcare cyber-environment, including outdated platforms such as the unsupported Windows XP, unpatched medical devices and a lack of visibility and control over medical endpoints, servers and networks. In fact, according to a recent Deloitte & Touche poll, identifying and mitigating the risks of fielded and legacy connected devices represents healthcare’s biggest cybersecurity challenge (30.1 percent).

“Legacy operating systems will always be a rich attack surface for well-constructed viruses like Orangeworm,” Rod Schultz, chief product officer at Rubicon Labs, said via email. “These older systems have well-understood and, many times, documented flaws that are exploited by these viruses. The verticals being attacked seem to be a direct indicator of who is using this outdated technology. As long as there is something to be stolen from these devices, older operating systems executing in a modern environment will continue to encounter this type of profiteering and attacks.”

While the backdoor exfiltrates data as it aggressively moves across the network, a going-forward concern is that it can also download additional malware.

“The situation could be so much worse; these guys have the capability to wipe hard drives or destroy equipment,” DiMaggio said. “The wake-up call in this is to take note of what happened today, so we’re not having a worse discussion tomorrow. Implementing basic security procedures like patching and network segmentation would prevent this threat with minimal work. And, the healthcare community as a whole needs to push their software vendors to consider security more so than ease-of-use.”