Orangeworm menaces healthcare computers

Security vendor Symantec believes it has identified a hacking group that is planting remote access software on medical computers in order to steal information.

Dubbed Orangeworm by Symantec, the attackers have conducted supply chain attacks on healthcare providers, pharma companies, as well as IT solution providers and equipment makers for the medical sector, since January 2015.

Targets are chosen carefully, Symantec said, with attackers planting the Kwampirs backdoor on computers.

The computers targeted include ones that control X-ray and magnetic resonance imaging (MRI) machines, as well as systems that assist patients in completing consent forms for medical procedures.

Kwampirs is a persistent information stealer and backdoor that survives reboots of computers.

Symantec believes Orangeworm initially collects basic information about computers to determine if a high-value target has been compromised.

If a high-value target is found, Orangeworm uses Kwampirs to aggressively copy the backdoor to open network shares, so as to infect more computers. 

This is an old-fashioned attack method that remains effective against Windows XP, Microsoft's out of support operating system that is still used widely in the healthcare sector.

Orangeworm also tries to capture and exfiltrate as much information as possible from high-value targets and doesn't make a great deal of effort to avoid detection in the process.

Symantec did not identify who is behind Orangeworm but said indications are that the attacks are likely conducted by an individual, or small group of people, rather than a nation-state actor.

Only a small set of victims was identified by Symantec in 2016 and 2017, most of them being in the United States, and Asia.

Smaller numbers of targets were found by Symantec telemetry in Europe, but so far no Orangeworm victims have been found in Australia and New Zealand.