Just when you thought hacking attacks against healthcare facilities couldn’t get any worse, a new group dubbed “Orangeworm” is targeting X-ray machines and magnetic resonance imaging machines for data theft.

According to Symantec, Orangeworm is planting the Kwampirs “backdoor” remote-access software on medical computers in order to steal information from healthcare providers in the U.S., Europe and Asia. Unlike ransomware, the attacks are highly targeted. As Symantec puts it, “The group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack.”

The supply chain attacks on healthcare providers, pharma companies and information technology solution providers and equipment makers for the medical sector first emerged in January 2015. Recently they’ve escalated, with secondary targets including manufacturing, information technology, agriculture and logistics.

“Due to the fact that the attacks attempted to keep infections active for long periods of time on these devices, it’s more likely the group are interested in learning how these devices operate,” Symantec researcher Alan Neville explained. “We have not collected any evidence to suggest the attackers have planned to perform any sabotage type activities at this time.”

Kwampirs, which provides the attackers with remote access to the compromised computer, decrypts and extracts a copy of its Dynamic Link Library, a type of file that contains instructions other programs can use to do certain things, from the computer’s resource section. Before writing this payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.

Once in the door, Kwampirs then gathers data to send back to a command-and-control server, including information pertaining to recently accessed computers, network adapter information, available network shares, mapped drives and files present on the compromised computer.

The motivation for the attack is interesting in the context of the ongoing Russian and Chinese hacking mania. Symantec doesn’t believe a nation-state actor is behind the attack, noting that it believes the attacks are likely conducted by an individual or a small group of people.

Photo: U.S. Airforce