Orangeworm cyber attack group targets health sector

A cyber attack group dubbed Orangeworm has been observed deploying a custom backdoor known as Trojan.Kwampirs within large international organisations, researchers at Symantec have discovered.

The targeted organisations include healthcare providers, pharmaceutical firms, IT service providers for healthcare, and equipment manufacturers that serve the healthcare industry.

The group appears to choose its targets carefully and deliberately, carrying out careful planning before launching an attack, Symantec said.

The researchers found the Kwampirs malware on medical devices such as X-ray and MRI machines as well as machines used to help patients complete consent forms for required procedures.

However, the researchers found no evidence to suggest the attackers were copying any images from the devices, leading them to conclude that the purpose of the activity is possibly cyber espionage to learn more about how the machines work.

Orangeworm is believed to have been active since January 2015, conducting targeted attacks against organisations in healthcare-related industries as part of a larger supply chain attack to carry out espionage against their intended victims, although researchers say the exact motive is unclear.

According to Symantec telemetry, almost 40% of Orangeworm’s confirmed victim organisations operate in the healthcare industry, followed by manufacturing and IT (15% each), and logistics and agriculture (8% each).

These industries may appear to be unrelated, but the researchers said they have multiple links to healthcare, such as large manufacturers that produce medical imaging devices sold directly to healthcare firms, IT organisations that provide support services to medical clinics, and logistical organisations that deliver healthcare products.

The largest number of Orangeworm’s victims are in the US (17%), followed by Saudi Arabia and India (7% each), the UK, Philippines and Hungary (5% each), and about 20 countries accounting for 2% of attacks each, while 10% of attacks have not been connected to any particular country.

Once Orangeworm has infiltrated a victim’s network, the researchers said the group deploys Trojan.Kwampirs, a backdoor Trojan that gives the attackers remote access to the compromised computer.

When executed, Kwampirs decrypts and extracts a copy of its main payload. Before writing the payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.

To ensure persistence, Kwampirs creates a service called WmiApSrvEx to ensure the main payload is loaded into memory upon system reboot.

The backdoor Trojan also collects basic information about the compromised computer, including some basic network adapter information, system version information, and language settings.

At this point, the attackers gather as much additional information about the victim’s network as possible, including any information about recently accessed computers, network adapter information, available network shares, mapped drives, and files on the compromised computer.

Kwampirs uses a “fairly aggressive” means to propagate itself once inside a victim’s network by copying itself over network shares, the researchers said, adding that although this method is considered old, it may still be viable for environments that run older operating systems, such as Windows XP.

This method is likely to have proved effective within the healthcare industry, which is more likely to run legacy systems on older platforms designed for the medical community, said the researchers.

Giovanni Vigna, CTO and co-founder of Lastline, said healthcare devices are an enticing target for hackers because they are typically not upgraded and monitored as aggressively as other components, such as desktops and laptops.

“Since the operating system of these devices possibly controls life-critical systems, it is finely tuned and not automatically updated,” he said. “This situation makes it easy to break into outdated versions of the OS and remain permanently entrenched into the platform.”

The researchers also found that the malware cycles through a large list of command and control (C&C) servers embedded within the malware. Although the list is extensive, they researchers said not all the C&Cs are active and continue to beacon until a successful connection is established, leading them to classify Kwampirs as a “polymorphic worm”.

Despite modifying a small part of itself while copying itself across the network as a way to evade detection, the operators have made no effort to change the C&C communication protocol since its first inception, the researchers said.

The fact that little has changed with the internals of Kwampirs since its first discovery indicates that Orangework is not overly concerned about being discovered, the researchers said. It may also indicate that previous mitigation methods against the malware have been unsuccessful, and that the attackers have been able to reach their intended targets despite defenders being aware of their presence within their network, they added.

Although Orangeworm has been active for at least three years, the researchers do not believe the group bears any hallmarks of a state-sponsored actor. It is likely to be the work of an individual or a small group of individuals, they said, pointing out that there are currently no technical or operational indicators to ascertain the origin of the group.

Symantec said it has made efforts to notify identified targets of Orangeworm activity, but the researchers warned that Kwampirs remains active around the world, indicating that the group is still conducting attacks.

Organisations are advised to ensure that all their security, application and operating system software are up to date to reduce the likelihood of infection.