A hacker group dubbed Orangeworm has recently been revealed by Symantec. The group targets exclusively the medical and healthcare sector with sophisticated malware. This has led to several pieces of vital equipment, such as X-ray machines and MRI scanners being infected. The purpose of the group is thought to be industrial espionage.

 

Orangeworm hacker group targeting the healthcare sector

According to a report by security firm Symantec, a hacker group has emerged which targets the health care sector almost exclusively. The group, dubbed Orangeworm, has been active since 2015 and is claiming most of its victims within the US with some found in Europe and Asia. Several pieces of sensitive medical equipment, such as MRI scanners and X-Ray machines have been infected.

Orangeworm utilizes the Kwampir malware, a trojan with backdoor capabilites. Once access to a victim’s network has been established, the malware is installed on any devices found. At this moment a connection is made to a Command & Control center, sending information about the victim to the attackers. If a target is of special interest a spreading routine is started, allowing the malware to quickly propagate throughout the network.

How infections are detected

The Kwampir malware allows for complete remote control, meaning an attacker has full access to an infected machine. Researchers at Symantec believe the actors behind the group specifically intend to steal sensitive medical data. Thankfully, the malware is not very discreet; Performing noisy and easy-to-detect activities. This means an up-to-date and efficient security solution should be able to detect it.

A case of industry espionage

Besides medical and pharmaceutical industries, which covers around 40% of the targets, attacks have also been launched against other industries. However, all other infections are at least somehow related to healthcare. For example, manufacturers creating medical-use devices or IT companies handling data related to the field.

There is currently no information available on where the group originates from or what its purpose is. According to the report by Symantec, it is believed to be a case of industry espionage rather than a government actor.