‘Orangeworm’ Cyberattack Group Puts Healthcare Industry in the Crosshairs

Posted May 1, 2018

Since last year’s WannaCry ransomware attack, the healthcare industry has anxiously waited for the next big cyberthreat. But while WannaCry indiscriminately attacked unpatched Windows-based systems, an emerging hacker group called Orangeworm has recently set its sights on healthcare systems in particular—and they’ve already successfully infected a number of medical imaging systems in the United States.

Orangeworm “does not select its targets randomly or conduct opportunistic hacking,” according to a report by security firm Symantec. “Rather, the group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack.”

Nearly 40% of Orangeworm’s targets are part of the healthcare industry, while many others are linked to healthcare, such as manufacturers that produce medical imaging equipment and information technology firms that support medical clinics. About 17% of infections occurred in the United States, more than any other country.

Although first identified in 2015, Orangeworm’s momentum has increased significantly in recent months, and little is known about the group.

“The healthcare industry is one of the least prepared to deal with cybersecurity threats, and it has yet to take many of the steps necessary to adequately prepare their medical and information technology environments,” said Stephen Grimes, managing partner and principal consultant for Strategic Healthcare Technology Associates, LLC and a member of the BI&T Editorial Board. “Medical devices are among the most vulnerable because approaches to adequately protecting those technologies are generally the least understood by security professionals.”

Orangeworm works by using a backdoor to install a trojan, called Kwampir, inside of computer networks. Kwampir then aggressively replicates itself, allowing hackers “to gather as much additional information about the victim’s network as possible, including any information pertaining to recently accessed computers, network adapter information, available network shares, mapped drives, and files present on the compromised computer,” Symantec wrote, as well as allowing for remote access to the computer systems.

Orangeworm doesn’t appear to be motivated to harm medical devices or patients, according to the report. Rather, it is aimed at corporate espionage—stealing sensitive data and intellectual property—although the group has also attempted to collect protected health information. Still, the presence of malware in a medical device could cause unintended malfunctions, said Axel Wirth, distinguished technical architect for Symantec Corporation in Cambridge, MA, and a member of the BI&T Editorial Board.

“The threat shows that attackers can be successful and are able to plant malware onto computers attached to medical devices with some concerted effort. That part is troubling,” Wirth said. “In addition, malware such as Kwampirs could introduce instability into systems that could potentially result in harm, such as equipment malfunctions or delays in accessing information.”

Even though the healthcare industry has learned a lot since WannaCry, it has additional reasons to be concerned about the threat of Orangeworm. Even if today’s Orangeworm attacks may appear to be data-gathering missions, the ability to gain remote access to medical device systems means that it could serve as a launching point for future, “more devastating” attacks, Grimes said. That’s why it’s important to work together to prevent those attacks from happening.

“The nature, number, and serious impact of all these cyberattacks will undoubtedly increase until there is widespread industry effort to employ ‘defense in depth,’” Grimes said. “That means hardening the devices and systems, educating stakeholders, and working with organizations like NH-ISAC, US-CERT and ICS-CERT that collect and share information about known vulnerabilities.”

Grimes and Wirth are the editors of a forthcoming resource intended to establish a common language and understanding for cybersecurity in healthcare for all stakeholders. Medical Device Cybersecurity: A Guide for HTM Professionals will be available in the AAMI Store this summer.