A cyber attack group dubbed Orangeworm has been observed deploying a custom backdoor known as trojan named Kwampirs within large international organisations, researchers at Symantec have discovered. The targeted organisations include healthcare providers, pharmaceutical firms, IT service providers for healthcare and equipment manufacturers that serve the healthcare industry. The group appears to choose its targets carefully and deliberately, carrying out careful planning before launching an attack, Symantec said. Security researchers can’t explain how and why malware has infected computers that control MRI and X-ray machines at countless of healthcare organisations across the world.
Orangeworm is believed to have been active since January 2015. Around 40% of the victims are companies activating in the healthcare sector, followed by manufacturing and IT (15% each) and logistics and agriculture (8% each). These industries may appear to be unrelated, but the researchers said they have multiple links to healthcare, such as large manufacturers that produce medical imaging devices sold directly to healthcare firms, IT organisations that provide support services to medical clinics and logistical organisations that deliver healthcare products. Researchers believe attackers attempted a supply-chain attack by infecting a service provider to penetrate the networks of the desired healthcare organisation.
According to experts, the Orangeworm group carried out attacks in a similar pattern. They infected one computer, then spread to others, infecting each with Kwampirs, a tool that granted them remote access to each infected host. Attackers spread Kwampirs indiscriminately to as many systems as possible, which could also explain why computers used to control medical devices were also infected – such as MRI and X-ray machines. Researchers believe the group used Kwampirs to search for the data they wanted. The biggest number of Orangeworm’s victims are located in the United States, accounting for 17% of the infection rate by region.