Orangeworm Targeting Healthcare Data Security with Trojan.Kwampirs

Symantec released a late April 2018 report stating Orangeworm, a new cyber group, has been undermining healthcare data security with targeted attack campaigns against large healthcare firms and related industries using a custom backdoor malware known as Trojan.Kwampirs. Here’s what you need to know to stay on top of the developing IT health and security of your healthcare organization:

What is Trojan.Kwampirs?

Trojan.Kwampirs is a type of malware — specifically a backdoor Trojan horse — that may be able to open back doors on compromised computers or download potentially malicious files. This type of malware was first discovered on August 19, 2016; researchers have noted little operational or internal change from first discovery.

How Does Orangeworm and Trojan.Kwampirs Infect Your System?

Orangeworm infiltrates a victim’s network, then deploys Trojan.Kwampirs to gain remote access to the compromised computer. Once deployed, Kwampirs collects information to determine if the victim is a high-value target, and if they are, the backdoor malware is aggressively copied across open network shares to infect other computers, specifically those running legacy operating systems, like Windows XP. Once infected, the malware cycles through a massive list of the original 2016 command and control (C&C) servers (including inactive ones) until a successful connection is established. It’s worth noting that the “noisy” propagation method may indicate that Orangeworm isn’t very concerned with being discovered, but the lack of change in the C&C communication protocol may also “indicate that previous mitigation methods against the malware have been unsuccessful, and that the attackers have been able to reach their intended targets despite defenders being aware of their presence within their network.”

Who is Orangeworm?

Orangeworm hackers, who are considered to likely be an individual or a small group with origins unknown, are the new cybercriminals targeting the worldwide healthcare sector (they’ve reportedly been active since 2015). Symantec believes Orangeworm has recently conducted targeted attacks against organizations in related industries as part of a larger supply-chain attack in order to reach their intended victims” — healthcare organizations. And while their attacks appear well planned and deliberate, rather than random or merely opportunistic, the group’s exact motives are unclear. However, corporate espionage is believed to be a likely reason.

Who are the Known Victims of Orangeworm?

The known victims of Orangeworm are primarily in the healthcare industry — 39%, in fact — and include healthcare providers, pharmaceuticals, IT solution providers for healthcare, and equipment manufacturers that serve the healthcare industry. Trojan.Kwampirs was specifically found on high-tech devices, such as X-Ray and MRI machines, that require the use of installed software to control the machines, and the Kwampirs malware also appears to be interested in machines that help assist patients complete consent forms. Orangeworm’s attacks, however, do hit other industries; here’s a quick breakdown of the sectors in which Orangeworm’s attacks fall:

Healthcare: 39%

Manufacturing: 15%

Information Technology: 15%

Unknown: 15%

Logistics: 8%

Agriculture: 8%

In the end, security researchers at Symantec still believe healthcare is the primary target, as many of the other seemingly unrelated industries do have multiple links to healthcare, such as: manufacturers producing medical imaging devices, IT organizations providing IT support services to hospitals and medical clinics, and logistics companies delivering healthcare products.

As far as which parts of the world are affected, Orangeworm’s attacks have primarily been found in the U.S. (17%), Europe, and Asia — you can see the breakdown of Orangeworm attacks by country on Symantec’s report. Keep in mind that the Kwampirs malware infections are found in multiple countries because many of the victims have been large international corporations.

Additional Reading:

Protect Your Healthcare Organization from Orangeworm

Healthcare organizations’ data-rich environments have become a primary target for hackers and cybercriminals — and they’ll continue to be so until each organization is thoroughly safe-guarded and each employee is educated on IT best practices. Take the first step — and let Orangeworm be your last healthcare IT scare — by contacting Integracon for a free network assessment.