Symantec Uncovers Cybercrime Group Targeting Healthcare Sector

A backdoor Trojan gives the methodical attackers access to everything from medical devices to software.

An attack group targeting healthcare organizations in the U.S., Europe and Asia has been uncovered by Symantec. The security software provider unveiled in a blog post on April 23 that the group, dubbed Orangeworm, has been, "observed installing a custom backdoor called Trojan.Kwampirs within large international corporations that operate within the healthcare sector."

First identified in 2015, Orangeworm conducts planned, targeted attacks against healthcare organizations as well as other organizations in the healthcare sector, such as pharmaceuticals or device manufacturers, in large-scale attacks aimed at supply chains, "likely for the purpose of corporate espionage," Symantec notes.

Forty percent of targeted organizations are in the healthcare sector, Symantec found, with the backdoor installed in medical devices, such as X-Ray or MRI machines and software that helps patients complete consent forms.

Once inside, the Trojan provides the attacker group with remote access to the compromised device. From there, Symantec notes that the attackers spend time gathering information to determine whether the device belongs to a high-value target. It uses particularly "noisy" methods to propagate itself once inside a victim network, suggesting that it is not particularly concerned with being detected, suggesting that "previous mitigation methods against the malware have been unsuccessful."

Orangeworm does not have the hallmarks of a nation-state actor and its motives are as of yet unknown. While Symantec noted that its users are protected, it also included a list of indications that an organization's devices might have been compromised. 

Apr 24 2018