Security vendor Symantec has identified a new attack group it has named Orangeworm. The group is actively targeting the healthcare sector in the US, Europe and Asia.
Its attack aims to install a custom piece of malware called Trojan.Kwampirs. This is a piece of malware that Symantec identified back in August 2013. This allows an attacker access to an infected computer and it can also download additional malicious files.
Despite Symantec saying Orangeworm is a new attack group, it also claims to have spotted it as far back as January 2015. It is not clear if that version of the group disbanded or if this latest incarnation includes any of the original members.
The group targets the supply chain. This type of attack focuses on less secure organisations in order to gain access to larger companies. It is a proven attack mechanism and the UK NCSC recently warned of a similar set of attacks against UK CNI.
Orangeworm selecting its targets
Organisations targeted by Orangeworm are carefully selected, according to the Symantec blog. It has identified five main market sectors that are under attack. These are:
- 39% Healthcare
- 15% Manufacturing
- 15% Information technology
- 8% Logistics
- 8% Agriculture
The remaining 15% of attacks are currently listed by Symantec as Unknown. Given the focused approach of this group, it seems an unusually high level attacks against unknown targets.
Looking at these targets, there are links from most of them to healthcare. Manufacturing covers medical equipment, a sector that has come under attack recently. It is also a sector that has significant challenges in cyber security terms. Multiple devices have been identified as being open to attack from hackers in the last 18 months. Interestingly, as part of this research, Symantec was able to identify X-Ray and MRI machines that were infected.
Hospital IT systems are also vulnerable. They hold detailed information about patients medical, insurance and payment history. This means that patients can be blackmailed over medical conditions or subjected to fraud. The FBI has a dedicated Health Insurance Fraud team. Estimates for health care fraud in the US vary but the RAND Corporation puts it at around 10% of the $2.7 billion spent annually. In addition, shutting down hospital systems through a malware or ransomware attack has proven to be effective and lucrative.
Orangeworm aggressively targets the network
After a machine is infected, Orangeworm appears to do some user monitoring to determine additional infections. According to the blog: “Once Orangeworm determines that a potential victim is of interest, it proceeds to aggressively copy the backdoor across open network shares to infect other computers.”
Orangeworm aggressively scans the network to find any additional information on what is connected and what can be accessed. This makes a good case for having an air-gapped network for medical equipment. As these are the least likely to have endpoint protection, they need to be inaccessible to the primary network. X-Ray and MRI machines provide digital imaging data which is essential to many healthcare facilities. As this means being on the same network, IT Security teams need to consider alternative security approaches.
The command and control (C&C) server IP addresses are embedded in the malware. This is not unusual but as these are indicators of compromise, they are often shutdown quickly. In this case there seems to be no change to the C&C code and little evidence of servers being successfully blocked.
This approach from the Orangeworm team is strange. As the blog authors say: “Both of these methods are considered particularly “noisy” and may indicate that Orangeworm is not overly concerned with being discovered. The fact that little has changed with the internals of Kwampirs since its first discovery may also indicate that previous mitigation methods against the malware have been unsuccessful, and that the attackers have been able to reach their intended targets despite defenders being aware of their presence within their network.”
What does this mean
Healthcare has and will continue to be a lucrative market for cyber attackers. There are multiple systems to attack and many have little to no effective protection. It makes for a complex environment to protect and secure.
Orangeworm is also attacking through the soft underbelly of the supply chain. This is an establish attack vector and one that continues to be effective. Suppliers often lack the skills and money to fully secure all their networks. In addition, healthcare providers cannot afford the money or people to help secure all the providers in the supply chain.
All of this means that a report on malware attacking the healthcare supply chain comes as no surprise. What is a surprise is the brazen way that Orangeworm is operating. It is extremely aggressive in its information gathering and infection processes. It is also making no attempt to hide its attack or the connections to its C&C servers.
Importantly, Symantec also reports that this is a pure criminal enterprise. It can find no indicators that suggest this is a nation-state actor. It will be interesting to see if there is any follow-up to show that Symantec has been able to limit the impact of Orangeworm.