Table of Contents
A new hacker group called “Orangeworm” has been targeting Healthcare sector and International corporations which are directly or indirectly related to Healthcare Industry.
According to cybersecurity firms, this attack group has been spying from quite a long time to target health-care organizations based in the United States and across the globe. The group was first identified in 2015, and it appears to focus on Healthcare Industry which accounts for nearly 40% of targets.
Name of the Malware?
Orangeworm has been installing a custom backdoor called “Trojan.Kwampirs”. It’s a Trojan horse which can open the back door on the compromised computer, which may download potentially malicious files. This attack poses a serious threat to Windows platform.
This trojan is making the rounds in large corporate sectors, that surrounds health Industry. Trojan.Kwampirs malware spreads via SMB (Server Message Block) shares i.e. a network protocol used by Windows-based systems, which allows computers within the same network to share files.
Trojan.Kwampirs gives an ability to attackers with remote access to the compromised computer, which decrypts and excerpt a copy of DLL (Dynamic Link Library) which is a type of file that contains information that other programs can call upon to do certain things. Once infiltrated, the malware gathers all the data to send it back to a command-and-control server so, that the attackers can analyze which systems seem interested.
What actually Happened?
Orangeworm has been active since January 2015, and till date has infected a large number of organizations across the globe. They are planting “backdoor” remote-access software on medical computers which control MRI (Magnetic Resonance Machines) and X-ray Machines, in order to steal information from healthcare providers in the U.S., Europe and Asia.
According to security experts, this group of lone hackers looks for stealing patient information & sell it in black markets for amount ranging between US$25 and US$40 per record, while an email address sells for cents. Unlike ransomware, the attacks are highly targeted. It appears like the group chooses its targets very carefully and has conducted a good amount of planning before bombarding an attack.
The aggressors collect as much information as they can from back door system, and if the system seems interested and looks like not operated by security researchers, the malware- Trojan.Kwampirs will copy itself crosswise open network shares to infect other systems on the network.
As per reports, Orangeworm attackers were never afraid of being found, alongside they use movement methods which are quite noisy & obsolete. Despite of which, it took researchers 3 years to identify & discover the attack.
Who all are Targeted?
This malware attack has also affected related industries like pharmaceuticals, machinery manufacturers, healthcare providers and even IT solution providers which serve healthcare industry directly or indirectly.
According to reports, around 40% of the victims are companies activated in the healthcare industry, but attacks are floated towards other industries also that are somehow related to healthcare, including IT (15%), manufacturing (15%), logistics (8%), and agriculture (8%),
Orangeworm attempted a supply-chain attack by infecting a service provider to penetrate the networks of the desired healthcare organization.
Highlighting Trojan.Kwampirs spots all over the world. A huge number of victims are located in the U.S., accounting for 17% of the infection rate.
Motive Behind the Attack?
The reason behind choosing Healthcare Sector is the medical records which hospitals & institution store. These records are actual & have good authentic rate, which makes it very easy to identify the victim. The motives behind the attack are not much clear, but according to the statements of security experts, they actually target the medical records which are generally very rich in PII (Personal Identifiable Information) and have financial data associated with it.
According to reports by cybersecurity experts, the Orangeworm made no efforts to amend their malware after its first attacks, showing their extreme confidence that they would never get caught or high level of lunacy.