UPDATED 23:10 EDT / APRIL 23 2018


Orangeworm targets X-ray machines and MRIs in latest healthcare hacking attack

Just when you thought hacking attacks against healthcare facilities couldn’t get any worse, a new group dubbed “Orangeworm” is targeting X-ray machines and magnetic resonance imaging machines for data theft.

According to Symantec, Orangeworm is planting the Kwampirs “backdoor” remote-access software on medical computers in order to steal information from healthcare providers in the U.S., Europe and Asia. Unlike ransomware, the attacks are highly targeted. As Symantec puts it, “The group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack.”

The supply chain attacks on healthcare providers, pharma companies and information technology solution providers and equipment makers for the medical sector first emerged in January 2015. Recently they’ve escalated, with secondary targets including manufacturing, information technology, agriculture and logistics.

“Due to the fact that the attacks attempted to keep infections active for long periods of time on these devices, it’s more likely the group are interested in learning how these devices operate,” Symantec researcher Alan Neville explained. “We have not collected any evidence to suggest the attackers have planned to perform any sabotage type activities at this time.”

Kwampirs, which provides the attackers with remote access to the compromised computer, decrypts and extracts a copy of its Dynamic Link Library, a type of file that contains instructions other programs can use to do certain things, from the computer’s resource section. Before writing this payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.

Once in the door, Kwampirs then gathers data to send back to a command-and-control server, including information pertaining to recently accessed computers, network adapter information, available network shares, mapped drives and files present on the compromised computer.

The motivation for the attack is interesting in the context of the ongoing Russian and Chinese hacking mania. Symantec doesn’t believe a nation-state actor is behind the attack, noting that it believes the attacks are likely conducted by an individual or a small group of people.

Photo: U.S. Airforce

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy