Mysterious cyber worm targets medical systems, is found on X-ray machines and MRI scanners

Orangeworm hacking group carefully selects victims in highly targeted attacks.
Written by Danny Palmer, Senior Writer

A newly-discovered cybercriminal group is installing custom malware onto the systems of organisations in healthcare and related sectors in order to conduct corporate espionage.

These targeted attacks are carried out against a small number of selected organisations as well as the supply chains which serve them, with the tactics and use of custom malware suggesting the attacks are the work of a cybercriminal group working for its own ends and not that of a government.

Uncovered by researchers at Symantec, the previously unknown group dubbed Orangeworm is installing custom malware known as 'Kwampirs' onto the systems of large international corporations across the US, Europe and Asia - with a particular focus on healthcare, with 40 percent of victims operating in the sector.

Other prominent targets include those in the technology and manufacturing industries. The group is thought to have been active since late 2015.

Known victims include healthcare providers themselves, plus pharmaceutical, technology and equipment manufacturers that work with these specialists. Given the nature of the victims, the researchers say the group chooses its targets carefully and deliberately, conducting a good amount of planning before launching an attack.

"The targeting of large multinational corporations that work directly in or related to the healthcare space has been a consistent theme with Orangeworm since their discovery," Alan Neville, threat researcher at Symantec told ZDNet.

Within the healthcare sector, Kwampirs malware was found installed on a wide variety of systems, including X-Ray and MRI machines, as well as machines used to assist patients in completing consent forms. However, rather than stealing information stored upon these systems, it is suggested that attackers are mostly interested in learning about the devices themselves.

See also: What is malware? Everything you need to know about viruses, trojans and malicious software

"We have no evidence to suggest that the attackers copied images. It's more likely the group are interested in learning how these devices operate," said Neville.

When it comes to activity on the network, the malware appears specially designed to carry out reconnaissance - although it has the potential to carry out additional tasks if required.

"We have observed the group perform reconnaissance and information gathering activities, including collecting lists of all files on the hard drive of the infected machine," said Neville.

"While we have not observed the attackers seek or steal specific information, we do note that the attackers have the ability to push down additional modules that may assist in information collection activities."

Once the malware has infiltrated the target network, Kwampirs provides the attackers with remote access to the compromised computer, with the backdoor initially collecting rudimentary information about the infected machine, such as network adapter information, system version information, and language settings.

It also performs activities to help ensure it isn't detected by anti-virus or security software by inseting randomly-generated string into the middle of the decrypted payload before writing it to disk to prevent hash-based detections. "Basically, Kwampirs can be considered a polymorphic worm," said Neville.

Researchers suggest that Orangeworm use this information to decide if the system is used by a high-value target, such as a researcher or someone with access to a lot of information. If the attackers determine this to be the case, they also spread the infection by copying the backdoor across open network shares to infect other computers.

This propagation method of copying itself via open network shares is an old technique, but is still a viable means of distribution for spreading an infection around environments using legacy operating systems like Windows XP, which remains in use in healthcare due to the bespoke nature of equipment. Unlike the likes of EternalBlue, this method of propagation doesn't require the use of exploits.

In addition to this propagation technique, the malware cycles through a list of command and control servers embedded within the payload, although not all of these are active. The method of propagation and the activity with command servers is quite "noisy" for trojan malware, indicating the attackers aren't very concerned with being discovered.

"By indiscriminately copying itself to any available machine, it's more likely to be noticed by security teams within affected organisations," said Neville.

See also: Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse

The malware also remains active on a number of machines across the globe, suggesting the group is still conducting its highly-targeted attacks, with the United States the most common geographical region in which Kwampirs is being uncovered. Symantec says it has made efforts to contact those organisations which it has seen to be infected.

The security firm said organisations can protect themselves from the Orangeworm campaign by using detection software and keeping systems up to date.


Editorial standards