Symantec: New Attack Group Targets Health Care Sector

Symantec has identified a new attack group dubbed Orangeworm deploying the Kwampirs backdoor in a targeted attack campaign against the healthcare sector and related industries, according to a blog post by the Security Response Attack Investigation Team.

“Symantec has identified a previously unknown group called Orangeworm that has been observed installing a custom backdoor called Trojan.Kwampirs within large international corporations that operate within the healthcare sector in the United States, Europe, and Asia,” the blog reads. “First identified in January 2015, Orangeworm has also conducted targeted attacks against organizations in related industries as part of a larger supply-chain attack in order to reach their intended victims. Known victims include healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry, likely for the purpose of corporate espionage.”

The post says that the group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack.

“According to Symantec telemetry, almost 40 percent of Orangeworm’s confirmed victim organizations operate within the healthcare industry,” the blog states. “The Kwampirs malware was found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. Additionally, Orangeworm was observed to have an interest in machines used to assist patients in completing consent forms for required procedures. The exact motives of the group are unclear.”

“The biggest number of Orangeworm’s victims are located in the U.S., accounting for 17 percent of the infection rate by region. While Orangeworm has impacted only a small set of victims in 2016 and 2017 according to Symantec telemetry, we have seen infections in multiple countries due to the nature of the victims operating large international corporations,” the blog adds.

Healthcare providers are in the crosshairs.

“We believe that these industries have also been targeted as part of a larger supply-chain attack in order for Orangeworm to get access to their intended victims related to healthcare. Orangeworm’s secondary targets include Manufacturing, Information Technology, Agriculture, and Logistics. While these industries may appear to be unrelated, we found them to have multiple links to healthcare, such as large manufacturers that produce medical imaging devices sold directly into healthcare firms, IT organizations that provide support services to medical clinics, and logistical organizations that deliver healthcare products,” according to the blog.

Read the blog post online.