Security researchers at Symantec have discovered how a hacker group named Orangeworm has been deploying backdoors to carry out supply chain attacks on healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry since 2015.
Healthcare organisations, equipment manufacturers and pharmaceutical firms targeted by Orangeworm over the years are spread across the United States, Europe, and Asia, even though a bulk of affected firms are in the United States.
A detailed study by Symantec researchers revealed that while 39 percent of Orangeworm’s victims were healthcare organisations, 15 percent were manufacturers, another 15 percent were IT firms, 8 percent were logistics firms and another 8 percent were firms in the agriculture sector. The firm found that even though the latter sectors were Orangeworm’s secondary targets, they were found to have multiple links to the healthcare industry.
Frequent use of Kwampirs backdoor
“The Kwampirs malware was found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. Additionally, Orangeworm was observed to have an interest in machines used to assist patients in completing consent forms for required procedures,” the firm noted.
The Kwampirs trojan deployed regularly by Orangeworm hackers helps them obtain remote access to compromised computers and contains encrypted code at the time of infiltration in order to evade hash-based detection technologies. It also collects information about host computers such as network adapter information, system version information, and language settings. Such information is used to verify if the victim is a high-value target or if it is used by a security researcher.
Even though the trojan uses an outdated method to propagate itself inside networks, which is by copying itself over network shares, the method is still largely successful as a bulk of equipment and IoT devices used by healthcare firms and hospitals still run older operating systems such as Windows XP.
“The fact that little has changed with the internals of Kwampirs since its first discovery may also indicate that previous mitigation methods against the malware have been unsuccessful and that the attackers have been able to reach their intended targets despite defenders being aware of their presence within their network,” the researchers said.
“Healthcare devices are an enticing target for hackers, as they are not upgraded and monitored as aggressively as other components (such as desktops and laptops). Since the operating system of these devices possibly controls life-critical systems, it is finely tuned and not automatically updated.
“This situation makes it easy to break into outdated versions of the OS and remain permanently entrenched into the platform,” said Professor Giovanni Vigna, CTO, and co-founder of Lastline.
Even though a bulk of Orangeworm’s victims are based in the United States, they added that they found no evidence of the group being sponsored by any nation and is more likely an individual or a small group of individuals.
Healthcare organisations are still vulnerable
In November last year, a survey by Infoblox revealed that despite security risks, healthcare organisations in the UK were purchasing thousands of IoT devices and connected medical equipment, thereby placing both enterprise data as well as sensitive patient records at risk of breach.
The survey noted that 37% of healthcare IT professionals from organisations with over 500 employees admitted having over 5,000 devices on their network, 7% of such professionals didn’t know what operating systems their medical devices were running on and 15% of them didn’t know if they could update these systems.
At the same time, it found that 20% of networks at healthcare organisations ran legacy operating systems like Windows XP, 23% of IT professionals were not confident in their organisation’s ability to respond to a cyber-attack, and 26% of healthcare organisations were willing to pay ransom to hackers.
In such a scenario, hacker groups such as Orangeworm would continue to thrive and still use old hacking tools and backdoors to target healthcare organisations and allied industries without fear of getting caught or disbanded.