Security researchers at Symantec say a group of hackers has been targeting firms related to health care. Symantec has identified a previously unknown group called Orangeworm that has been observed installing a custom backdoor called Trojan.Kwampirs within large international corporations that operate within the healthcare sector in the United States, Europe, and Asia.
First identified in January 2015, Orangeworm has also conducted targeted attacks against organizations in related industries as part of a larger supply-chain attack in order to reach their intended victims. Known victims include healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry, likely for the purpose of corporate espionage.
Based on the list of known victims, Orangeworm does not select its targets randomly or conduct opportunistic hacking. Rather, the group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack.
According to Symantec telemetry, almost 40 percent of Orangeworm’s confirmed victim organizations operate within the healthcare industry. The Kwampirs malware was found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. Additionally, Orangeworm was observed to have an interest in machines used to assist patients in completing consent forms for required procedures. The exact motives of the group are unclear.
Once Orangeworm has infiltrated a victim’s network, they deploy Trojan.Kwampirs, a backdoor Trojan that provides the attackers with remote access to the compromised computer. The backdoor collects some rudimentary information about the compromised computer including some basic network adapter information, system version information, and language settings.
Orangeworm likely uses this information to determine whether the system is a high-value target. Once Orangeworm determines that a potential victim is of interest, it proceeds to aggressively copy the backdoor across open network shares to infect other computers.
At this point, the attackers proceed to gather as much additional information about the victim’s network as possible, including any information pertaining to recently accessed computers, network adapter information, available network shares, mapped drives, and files present on the compromised computer.