A group dubbed ‘Orangeworm’ is targeting healthcare and related industries across Asia, the United States, and Europe as part of what looks to be a carefully targeted attack process with significant planning behind the scenes.
Researchers from Symantec say that the group has been deploying Trojan.Krampirs, a custom backdoor that gives attackers remote access to compromised computers on the network.
The Trojan then collects information about the infected network, including information about recently accessed computers, files, mapped drives, available network shares, and network adapter information.
Symantec researchers say that the Orangeworm group’s known victims include healthcare providers, pharmaceutical firms, healthcare IT providers and healthcare equipment manufacturers. 39% of the Trojan’s targets operate within the healthcare industry.
While most targets have been based in the United States (17%), 7% were based in India; 5% in the Philippines, and 2% respectively across China, Hong Kong, and Malaysia. A number of other targets are located in Europe.
“The Kwampirs malware was found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. Additionally, Orangeworm was observed to have an interest in machines used to assist patients in completing consent forms for required procedures. The exact motives of the group are unclear,” Symantec says.
Researchers found that the Trojan is able to spread aggressively through a network by copying itself over network shares. This method is old but works well on older operating systems such as Windows XP – a good match for the healthcare industry because it often operates using older systems.
Symantec notes that the Trojan also reaches out to a long list of command and control servers.
That action, in combination with the network sharing that only makes small modifications to the Trojan itself, indicates that the Orangeworm group ‘is not overly concerned with being discovered’, Symantec says.
Although the group has been known to be active for several years, there’s no evidence to suggest it is a state-sponsored actor, but rather the work of one person or a small group of people.
“There are currently no technical or operational indicators to ascertain the origin of the group,” Symantec notes.
“The fact that little has changed with the internals of Kwampirs since its first discovery may also indicate that previous mitigation methods against the malware have been unsuccessful, and that the attackers have been able to reach their intended targets despite defenders being aware of their presence within their network,” Symantec concludes.