A new Symantec report has unveiled a new attacker group called Orangeworm, which has targeted healthcare providers, pharmaceutical companies, IT solution providers for healthcare and healthcare-related equipment manufacturers.
Orangeworm’s aim? Most likely corporate espionage, according to Symantec.
The group has been installing a custom backdoor called Trojan.Kwampirs, which gives the hackers remote access to a compromised computer. The backdoor gathers information about the computer and network, which presumably gives Orangeworm more insight on whether the victim is worth pursuing.
The malware copies itself over network shares and cycles through a list of command and control servers. According to Symantec, these methods are seen as “noisy” and might show “Orangeworm is not overly concerned with being discovered.”
As the report notes:
The fact that little has changed within the internals of Kwampirs since its first discovery may also indicate that previous mitigation methods against the malware have been unsuccessful, and that the attackers have been able to reach their intended targets despite defenders being aware of their presence within their network.
A Deep-dive Into Specialty Pharma
A specialty drug is a class of prescription medications used to treat complex, chronic or rare medical conditions. Although this classification was originally intended to define the treatment of rare, also termed “orphan” diseases, affecting fewer than 200,000 people in the US, more recently, specialty drugs have emerged as the cornerstone of treatment for chronic and complex diseases such as cancer, autoimmune conditions, diabetes, hepatitis C, and HIV/AIDS.
Kwampirs has been found on machines that had software installed for using X-Ray and MRI machines.
The largest chunk (39 percent) of Orangeworm’s victims operate in the healthcare sector. Another 15 percent are in the IT field, 15 percent are in manufacturing and 8 percent are from the logistics sector. Symantec found these non-healthcare fields still have ties to the medical world. For example, numerous logistical organizations deliver healthcare products.
While its prey is from the United States, Europe and Asia, the biggest proportion of the attacked entities (17 percent) are from America.
Symantec doesn’t believe Orangeworm, which was first discovered in 2015, is linked to a nation-state. Instead, it’s likely the work of a person or group of individuals.
The report comes less than a month after another software company, Nuix, released a survey based on the perspective of 112 hackers. The results showed 38 percent of surveyed attackers said they could find the healthcare data they sought in less than one hour. The respondents also saw hospitals and healthcare providers as particularly soft targets.
Photo: turk_stock_photographer, Getty Images
