Security experts have identified that a group of cybercriminals are particularly targeting the healthcare sector in the United States.
The unidentified group has also attacked related industries in Europe and Asia, confirming that this is a large scale cyber-espionage campaign triggered by a notorious hacker group.
The cyberattack group, identified by the security experts as “Orangeworm,” has created a backdoor Trojan which allows them access into the servers of healthcare institutions including hospitals, pharmaceutical firms and IT companies which are serving the healthcare firms.
On the whole, experts from Symantec confirmed that the entire espionage campaign is directed towards the healthcare industry in particular and was carried out on multiple continents at the same time.
Orangeworm’s Primary Target
Through extensive research and analysis of the attacks, the security experts from Symantec have released a detailed report confirming that 39 percent of the attacks have been meticulously carried out against firms in the healthcare industry. The rest of the targeted companies were indirectly related to the healthcare sector.
Orangeworm created the trojan.kwampirs malware to gain backdoor access to their targets’ services but they indulged in extensive research on each target before carrying out the attack.
The Kwampirs malware was found in critical devices used in medical institutes such as X-ray machines and MRI scanners.
They even managed to penetrate the machines which are used to help a patient complete their consent forms.
No Patient Data was Breached
Delving further into the attack, the Symantec researchers confirmed that the attackers surprisingly didn’t download any data from the MRI or any other machines.
They didn’t copy any images scanned using these machines but it is suspected that the attack was carried out to know more about how such equipment worked in the healthcare setting.
While the fact that they didn’t steal any information is assuring, the Orangeworm team has been active in the sector since 2015 and should have managed to collect a large amount of data by now.
The real reason behind this attack still remains unknown to the security researchers at Symantec.
Statistical Data of the Attacks
The telemetry data released revealed that nearly 40 percent of the attacks targeted the healthcare industry while 15 percent were focused on the IT and manufacturing firms which provided services to the medical sector.
About 8 percent of the attack was targeted towards logistics and agricultural sectors. The majority of victims of Orangeworm were located in the U.S. (with over 17 percent) while the second highest victim rate was found in Saudi Arabia and India, with 7 percent in both countries.
The cyber espionage group didn’t stop there as they attacked at least 20 other countries including the United Kingdom, Hungary, the Philippines, and many more.
How the Trojan Infects a Victim’s Computer
The Orangeworm group researches their targets in different countries and establishes a backdoor connection with their servers. Once they find access, they will use remote access to upload the trojan.kwampirs into the infected computers.
The malware will decrypt and install its original payload on the disk. It has been designed in such a way that it uses a string in the middle to avoid any hash detections from occurring.
Every time the system is rebooted, a file named “WmiApSrvEx” will be installed into the boot system files so that the malware can run without any issues for an extended period of time. It automatically loads into the memory system every time the computer is switched on.
The security team further confirmed that the malware is capable of collecting all basic information including data processed using the computer, its network adapter, system information and language settings.
With all the information collected, the hackers managed to know more about the network adapters used, different computers in the same server and OS version besides everything else needed to gain access to an entire network of PCs.
The fact that the healthcare sector fails to upgrade their computers and software regularly could have led to this massive security breach.
The Symantec team managed to alert all identified victims but they also added that Orangeworm is still active in many other countries, and a massive security protocol should be established if governments want to get rid of the risk permanently.