Kwampirs Backdoor Used in Targeted Attacks on Healthcare Industry

A relatively recently identified threat group known as Orangeworm is conducting targeted attacks on large healthcare organizations in the United States according to Symantec.

The threat group was first identified in January 2015 and has been conducting supply chain attacks with the aim of installing backdoors on devices used by large healthcare firms. Already, several healthcare providers, IT solution providers, pharmaceutical firms, and medical equipment manufacturers have been attacked.

The Orangeworm threat group has conducted attacks on a wide range of industries, including manufacturing, agriculture, IT, and logistics. Even though these attacks have taken place on companies in seemingly unrelated industries, many targeted companies in these sectors have links to healthcare organizations, such as logistics firms that deliver medical supplies, IT firms that have contracts with healthcare providers, and manufacturers of medical imaging devices. 39% of all confirmed attacks have been on firms operating in the healthcare sector.

Rather than use the spray and pray tactics of ransomware gangs, the Orangeworm attacks appear to be highly targeted. Companies are carefully researched before the attacks take place.

Symantec notes that while attacks have taken place in several countries, the U.S is the most targeted country accounting for 17% of attacks. Large firms operating in the healthcare sector, in particular those with large international operations, appear to be the primary targets.

A common denominator in many of the attacks is the devices on which the backdoor has been installed are used in conjunction with medical imaging devices, such as MRI and X-Ray machines. Several attacks have targeted machines used to help patients complete consent forms for medical procedures.

Once access is gained to a machine and the attackers have determined the device is of value, the Kwampirs backdoor is deployed. Using that device, the threat actors gather information on the device, network shares, mapped drives, and files stored on the infected machine. The Kwampirs backdoor is then aggressively copied onto other machines via network shares. Windows XP machines are most susceptible to this type of attack, which could suggest why machines linked to imaging devices are commonly infected – many of which still run on Windows XP.

Symantec has not discovered any evidence that points to this being a nation-state sponsored attack and suggests this could be the work of an individual or a small group of hackers. It is currently unclear why the attacks are taking place and what the ultimate aim of the attackers is. It is possible that the backdoor is being installed for future attacks on healthcare organizations or to steal patient data, although Symantec suggests the threat group is attacking healthcare firms for corporate espionage purposes.

Fortunately, the attackers do not appear to be overly concerned with being detected. The method used to spread the backdoor laterally is particularly noisy and relatively easy to identify, although some attempts have been made to avoid hash-based detection, such as inserting a random string into the middle of the decrypted payload before it is written to the disk.

Healthcare organizations are being encouraged to analyze their networks and machines for signs of infection using Symantec’s Orangeworm indicators of compromise (PDF).

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.