Story image

Orangeworm threat group targeting Asia & EU healthcare sector firms

24 Apr 2018

A group dubbed ‘Orangeworm’ is targeting healthcare and related industries across Asia, the United States, and Europe as part of what looks to be a carefully targeted attack process with significant planning behind the scenes.

Researchers from Symantec say that the group has been deploying Trojan.Krampirs, a custom backdoor that gives attackers remote access to compromised computers on the network.

The Trojan then collects information about the infected network, including information about recently accessed computers, files, mapped drives, available network shares, and network adapter information.

Symantec researchers say that the Orangeworm group’s known victims include healthcare providers, pharmaceutical firms, healthcare IT providers and healthcare equipment manufacturers. 39% of the Trojan’s targets operate within the healthcare industry.

While most targets have been based in the United States (17%), 7% were based in India; 5% in the Philippines, and 2% respectively across China, Hong Kong, and Malaysia. A number of other targets are located in Europe.

“The Kwampirs malware was found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. Additionally, Orangeworm was observed to have an interest in machines used to assist patients in completing consent forms for required procedures. The exact motives of the group are unclear,” Symantec says.

Researchers found that the Trojan is able to spread aggressively through a network by copying itself over network shares. This method is old but works well on older operating systems such as Windows XP – a good match for the healthcare industry because it often operates using older systems.

Symantec notes that the Trojan also reaches out to a long list of command and control servers.

That action, in combination with the network sharing that only makes small modifications to the Trojan itself, indicates that the Orangeworm group ‘is not overly concerned with being discovered’, Symantec says.

Although the group has been known to be active for several years, there’s no evidence to suggest it is a state-sponsored actor, but rather the work of one person or a small group of people.

“There are currently no technical or operational indicators to ascertain the origin of the group,” Symantec notes.

“The fact that little has changed with the internals of Kwampirs since its first discovery may also indicate that previous mitigation methods against the malware have been unsuccessful, and that the attackers have been able to reach their intended targets despite defenders being aware of their presence within their network,” Symantec concludes.

Forget endpoints—it’s time to secure people instead
Security used to be much simpler: employees would log in to their PC at the beginning of the working day and log off at the end. That PC wasn’t going anywhere, as it was way too heavy to lug around.
DimData: Fear finally setting in amongst vulnerable orgs
New data ranking the ‘cybermaturity’ of organisations reveals the most commonly targeted sectors are also the most prepared to deal with the ever-evolving threat landscape.
IXUP goes "post-quantum" with security tech upgrade
The secure analytics company has also partnered with Deloitte as a reseller, and launched a SaaS offering on Microsoft Azure.
ExtraHop’s new partner program for enterprise security
New accreditations and partner portal enable channel partners to fast-track their expertise and build their security businesses.
Hackers increasingly ‘island hopping’ – so what does it mean?
Carbon Black's Rick McElroy discusses this new trend and what it means for the new age of cybercrime.
Trust without visibility is blind – Avi Networks
Enterprises are wanting to gain the trust of their customers, but are often found blindly defending themselves.
How to avoid becoming a cryptojacking victim - Bitglass
Large-scale cryptojacking is a lucrative business due to the popularity and value of cryptocurrencies like Bitcoin and Ethereum.
Symantec, Ixia combine efforts to secure hybrid networks
Ixia’s CloudLens and Symantec Security Analytics now feature complete integration, which allows Symantec customers to gain real-time visibility into their hybrid cloud environments.