Hacker group targets imaging devices to breach healthcare providers

Register now

Data security vendor Symantec is warning of a new and significantly dangerous hacker ring targeting large healthcare organizations in the United States, Europe and Asia.

“Symantec has identified a previously unknown group called Orangeworm that has been observed installing a custom backdoor called Trojan.Kwempirs,” the vendor notes.

Orangeworm is looking for targets to engage in corporate espionage in healthcare and other industries. Targets are chosen carefully and deliberately with extensive planning before an attack is made, Symantec experts contend.

Data from the security organization suggests that healthcare is the top target for the hackers—it says that 39 percent of attacks have been aimed at healthcare organizations, with manufacturing, information technology, logistics and agriculture also in their crosshairs.

Also See: Why patient confidence hinges on medical device security

So far, Symantec has found Kwempirs malware placed on diagnostic imaging machines in healthcare organizations. Additionally, Orangeworm was observed to have an interest in machines used to assist patients in completing consent forms for required procedures.

The vendor acknowledges that exact motives of the Orangeworm group are unclear, but the company believes other industries have been targeted as part of a larger supply chain attack to enable Orangeworm to get access to healthcare organizations.

“While these industries appear to be unrelated, we found them to have multiple links to healthcare, such as large manufacturers that produce medical imaging devices sold directly into healthcare firms, IT organizations that provide support services to medical clinics, and logistical organizations that deliver healthcare products.”

The installed backdoor into an organization collects information from the infected computer, which Symantec surmises can help a hacker know if the computer is used by a researcher or a higher-value target. “Once Orangeworm determines that a potential victim is of interest, it proceeds to aggressively copy the backdoor across open network shares to infect other computers.”

Further, with healthcare’s reliance on older operation systems, particularly Windows XP, Orangeworm does not appear to be overly concerned about being discovered.

The 11-page report, available here, includes significant technical details for security technologists to better understand the virus’ execution and capabilities.

For reprint and licensing requests for this article, click here.