New hacking group targeting healthcare infects MRI, X-ray machine

Orangeworm is targeting the sector and associated vendors for what Symantec researchers believe is to conduct espionage on the industry.
By Jessica Davis
01:13 PM
Share
healthcare MRI x-ray hacking cybersecurity

A new group of hackers is targeting systems tied to the global healthcare sector and has already infected computers used to control medical imaging devices, according to a new report from Symantec.

The group, which Symantec named Orangeworm, deployed customized malware called Kwampirs. The virus is targeting both healthcare providers and associated organizations and has been found in the wild on computers that support machines like MRIs and X-Rays.

Researchers also have seen the virus on devices patients use to fill out consent forms.

[Also: Citing WannaCry, lawmakers ask how to tackle medical device cybersecurity flaws]

The hackers gather as much information from the network of its victim as possible, such as configuration information, network shares and user groups, running system process and services, account policy information, accounts with admin access, a list of directories and files, and the like.

If the virus finds something in the system of value, Kwampirs will copy itself and proliferate across the network to infect other computers.

Researchers don’t think the hackers are attempting to steal patient data, as it doesn’t appear to be copying any of the data from the network. Rather, it’s likely the hackers are conducting some kind of espionage on the sector.

While the hacking group has been active since 2015, the latest onslaught of attacks is primarily focused on the healthcare sector. About 40 percent of its victims are actively in healthcare, but the rest of the targets are in some way connected to the sector.

For example, the majority of other impacted companies in the agriculture, logistics, IT and manufacturing sectors all provide services to the healthcare industry. According to researchers, it’s likely the hackers are using a supply-chain attack method, infecting a third-party vendor to penetrate the desired target.

What’s interesting is that while the group has been active for three years, researchers don’t know the location of the hackers. The attack method doesn’t have the hallmarks of a nation-state attacker, and researchers said it’s likely the work of a single hacker or small group.

But what’s concerning is that the hackers don’t seem to care whether they’re noticed on a system. Copying the virus over network shares is a bold tactic, as is use of command and control to establish a connection: Both are noisy attacks.

However, healthcare organizations shouldn’t take comfort in that fact. The hackers are bold because their methods are so effective.

“The fact that little has changed with the internals of Kwampirs since its first discovery may also indicate that previous mitigation methods against the malware have been unsuccessful, and that the attackers have been able to reach their intended targets despite defenders being aware of their presence within their network,” the researchers explained.

Security leaders have long stressed that hackers would begin to target these weakened ports. 

And while Orangeworm is not the first to hone in on these vulnerabilities, it should serve as a reminder to healthcare organizations to routinely search and monitor for open ports and make sure these devices are segmented from the network.

Symantec also included a fact sheet to help organizations determine whether Orangeworm has compromised a network.

Healthcare Security Forum

The forum in San Francisco to focus on business-critical information healthcare security pros need June 11-12.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com