Security researchers can’t explain how and why malware has infected computers that control MRI and X-ray machines at countless of healthcare organizations across the world.
All infections, with a backdoor trojan named Kwampirs, have been linked to a newly discovered hacker group named Orangeworm.
Orangeworm targets the healthcare sector
The group has been active since January 2015, and security researchers say the group has infected a large number of organizations across the world.
Around 40% of the victims are companies activating in the healthcare sector. Researchers say that the rest of the targets, despite not activating in the medical sector, have ties to healthcare organizations.
For example, Orangeworm infected the networks of companies in the logistics, agriculture, manufacturing, and IT services, but the vast majority of these companies provided services to healthcare orgs.
Researchers believe attackers attempted a supply-chain attack by infecting a service provider in order to penetrate the networks of the desired healthcare organization.
Orangeworm is not a nation-state APT
Investigators said Orangeworm doesn’t fit or use the tactics, techniques, and procedures of a classic nation-state advanced persistent actor (APT), albeit it is still an APT.
The common train of thought is that Orangeworm is a hacker or group of lone hacker looking to steal patient information from healthcare organizations to sell it on black markets. Patient information stored at healthcare organizations is known to be much more complete than the type of user data stored at financial institutions or any other company.
According to researchers, the attackers were never concerned about being discovered, using lateral movement methods that are considered antiquated and “noisy.”
Despite this, it took researchers a full three years to identify and disclose the group’s attacks. Investigators believe that a major factor in the group keeping its operations under the radar is the fact that most healthcare organizations use old computers, most of which are rarely updated, don’t usually employ an antivirus, and hence, are easy to hack.
Attackers used the same malware for each attack
According to experts, the Orangeworm group carried out attacks in a similar pattern. They infected one computer, then spread to others, infecting each with Kwampirs, a tool that granted them remote access to each infected host.
Attackers spread Kwampirs indiscriminately to as many systems as possible, which could also explain why computers used to control medical devices were also infected —such as MRI and X-ray machines. Researchers believe the group used Kwampirs to search for the data they wanted.
According to a detailed report about the group’s operations, the Orangeworm group made no efforts to update the malware since its first attacks, showing either a humongous level of stupidity or extreme confidence they would never get caught.