Orangeworm: Hospitals worldwide warned of ‘aggressive’ malware
- 30 April 2018
Security researchers have identified a new hacking group that has been targeting healthcare organisations worldwide.
Dubbed Orangeworm, the group has been observed targeting hospitals with malware that it uses to remotely access medical equipment such as X-ray and MRI machines.
According to Symantec, Orangeworm has been active since at least January 2015, with most of its victims (17%) coming from in the US. The group accesses IT systems using the Kwampirs trojan, which installs a custom backdoor on its target systems before going about collecting information on its host.
As well as high-tech medical equipment, the trojan has also been observed targeting machines “used to assist patients in completing consent forms for required procedures,” Symantec said.
Healthcare appears to be the main target of the group’s attacks – comprising 39% of Orangeworm’s victims – however manufacturing (15%), IT (15%) and logistics (8%) are also being infected.
The UK accounts for 5% of Orangeworm’s global victims.
Sara Jost, Global Healthcare Industry Lead, BlackBerry, said that the hacking group appeared to be selecting its targets “carefully and deliberately.”
She said: “From a criminal’s perspective, healthcare records are a golden goose. They contain all the information necessary for medical identity fraud, an extremely lucrative crime. And they sell for up to ten times the price of stolen credit card numbers on the black market.”
The group’s motives remain unclear, and it doesn’t appear particularly concerned about being caught, either.
According to Symantec, Orangeworm employs a particularly “noisy” attack that can be easily detected.
However, it was noted that this type of attack could still be effective within healthcare environments reliant on outdated IT systems.
“Kwampirs uses a fairly aggressive means to propagate itself once inside a victim’s network by copying itself over network shares,” said Symantec.
“While this method is considered somewhat old, it may still be viable for environments that run older operating systems such as Windows XP.
“This method has likely proved effective within the healthcare industry, which may run legacy systems on older platforms designed for the medical community. Older systems like Windows XP are much more likely to be prevalent within this industry.”
A reliance on old computer software was identified as one of the primary contributors to WannaCry’s impact on the NHS in 2017, impacting at least 81 of the 236 trusts across England.
“This vulnerability, along with the high value of the data on offer, is what makes the healthcare industry so appealing to cyber-criminals,” said Jost.
“Healthcare security still lags well behind other industries. It is easier for a criminal to lift medical data from several small clinics than it is to steal money from a bank, for example.
“Given the potential for a much greater payoff, it isn’t difficult to see why so many criminals have hospitals and clinics in their crosshairs.”
While outdated IT platforms proved instrumental in allowing WannaCry to propagate, the importance of embracing a more security-aware culture has also been stressed by many within the NHS.
“The heart of healthcare’s cyber security woes can be traced to a single cause – the men and women who run healthcare organisations are clinicians, not IT professionals,” said Jost.
The NHS received flak from the Public Accounts Committee in April for its lack of action in putting lessons learnt from WannaCry into force.