Data Loss Prevention (DLP) , Endpoint Security , Governance & Risk Management

Symantec: 'Orangeworm' Group Hits Healthcare Organizations

Custom Backdoor Lands on X-Ray and MRI Machines
Symantec: 'Orangeworm' Group Hits Healthcare Organizations
Source: Symantec

Large healthcare companies in the U.S., Europe and Asia are getting hit with a backdoor that comes from a long-observed group, which Symantec calls Orangeworm.

See Also: Real-World Strategies for Securing Remote Workforces and Data

Symantec says it has had an eye on the group for three years, but it had not publicly named it until Monday. Orangeworm appears to target its victims, infiltrating networks using some kind of vulnerabilities and then installing Kwampirs, a backdoor. The security firm has found the backdoor on X-ray and MRI machines.

"Known victims include healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry, likely for the purpose of corporate espionage," according to a blog post from the company's Security Response Attack Investigation Team. (See also: 'Orangeworm' Attacks Appear to Involve Espionage).

About 39 percent of the victims are healthcare organizations, but the remaining ones affected often have some link to that industry. Symantec says those organizations may be targeted to gain a foothold with the healthcare-related ones.

Symantec's breakdown of Orangeworm's victims. (Source: Symantec)

Some 17 percent of the victims are in the U.S. But last year, that scope expanded to other countries "due to the nature of the victims operating large international corporations," the company says.

Nick Savvides, Symantec's CTO for Australia and New Zealand, says the healthcare industry has been particularly vulnerable because networked equipment often lacks security software.

"Healthcare systems are like industrial control systems - they are very vulnerable," Savvides says. "I think this is just an example of why we need to change our approach to dealing with what is essentially critical infrastructure for humans."

Symantec's post comes as the U.S. Food and Drug Administration has released plans designed to enhance the security of medial devices. The Medical Device Safety Action Plan could encompass imposing regulations on medical devices manufacturers. The FDA is seeking more authority and funding from Congress (see FDA Proposes Action to Enhance Medical Device Cybersecurity).

There's also been a recent surge in breaches related to healthcare organizations. As of last week, 86 breaches affecting more than 1 million people this year have been reported on the Department of Health and Human Services' HIPAA Breach Reporting Tool website (see Health Data Breach Tally Spikes in Recent Weeks).

Spreads To Network Shares

The healthcare industry has proven to be a vulnerable target. The industry general has slow refresh cycles, and patching is complicated due to the use of legacy systems.

Hardware is often used for a decade or longer, and manufacturers may no longer support software updates after a few years. Savvides says some environments still use Microsoft's XP operating system or older ones and unpatched versions of Linux.

"That's what makes these things so juicy and tasty for an attacker," Savvides says.

Symantec didn't specify in the its blog post how Orangeworm initially compromises an organization's network. Savvides says the company suspects it may be over email, either through the distribution of malicious links or attachments.

But after the group gains access, it uses the Kwampirs backdoor to maintain access and exfiltrate information.

Kwampirs tries to avoid hash-based security checks by inserting a randomly generated string into its decrypted payload, Symantec writes. It also pulls information on network adapters, language settings and system versions.

"Orangeworm likely uses this information to determine whether the system is used by a researcher or if the victim is a high value target," the company writes.

The Kwampirs backdoor tries to spread itself across other network shares. That kind of propagation is still effective against older operating systems, such as XP.

Orangeworm has used the same command-and-control protocol since it kicked off, which Symantec says is an indication the group isn't too concerned about being discovered.

Motives Unclear

Symantec doesn't believe the group is sponsored by a nation-state, but is rather a small group of individuals. "There are currently no technical or operational indicators to ascertain the origin of the group," it says.

As far as the type of data it seeks, Symantec writes that it appears to have a penchant for machines that help patients "in completing consent forms for required procedures." But its exact motives are unclear.


About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.