Hacker Group Is Targeting Healthcare For Corporate Espionage, Symantec Warns

A new group of hackers is targeting systems tied to the healthcare industry in the U.S. and around the world, security firm Symantec reports.

The group, which Symantec has dubbed Orangeworm, has deployed custom malware that Symantec has called Kwampirs on networks of healthcare providers and related organizations. The malware has been spotted on computers used to control medical imaging devices like X-ray and MRI machines, as well as some devices used to help patients fill out consent forms for medical procedures.

Symantec technical director Vikram Thakur says the company’s researchers think the hackers aren’t trying to steal patient data or interfere with medical work but rather trying to carry out some sort of industrial espionage involving the healthcare industry. It’s also affected companies like medical equipment manufacturers, pharmaceutical companies and healthcare IT firms. The malware likely found its way onto the imaging machines as it spread through medical provider networks, Thakur says.

“We think it’s just purely collateral damage,” he says. “It does, at the end of the day, give healthcare providers a warning to take better care of the equipment that’s connected to medical devices.”

There’s always a risk that having unexpected code run on healthcare equipment could make it less stable, but there’s been no sign of any such problem here, he says.

Orangeworm isn’t the first digital security issue to affect the healthcare industry. According to one report from Citrix Sharefile, the healthcare industry saw more than 300 data breaches in 2017, at an estimated cost of more than $1 billion. Last year’s notorious WannaCry ransomware outbreak forced hospitals around the world to turn away patients and delay procedures after their computer networks were infected with the malware. That attack has since been blamed on North Korea. In other ransomware attacks, hospitals have occasionally even paid hackers to regain access to valuable files.

The Orangeworm attack seems unlikely to be linked to any government, according to Symantec, which says in a Monday report it hasn’t seen any indicators of the group’s origin. There’s no sign that the group has used any previously unknown software flaws to gain access to the affected networks, Thakur says. Instead, the group has used a mix of “social engineering” and previously identified vulnerabilities to access networks, he says, though he declined to go into too much detail citing ongoing investigations.

Once on a particular network, the malware uses a “fairly aggressive means to propagate itself” over networked file shares, according to Symantec.

“While this method is considered somewhat old, it may still be viable for environments that run older operating systems such as Windows XP,” according to the company. “This method has likely proved effective within the healthcare industry, which may run legacy systems on older platforms designed for the medical community. Older systems like Windows XP are much more likely to be prevalent within this industry.”

The attackers then generally run fairly generic commands to get access to information like user accounts, computer names, and other recently contacted machines, likely to determine which infected machines are actually of interest, says Thakur. So far, it’s unclear exactly what sort of information they’re looking to steal, he says.