A hacker group known as Orangeworm is launching targeted attacks against the healthcare industry, focusing on well-known vulnerabilities within legacy imaging devices to gain access to hospital systems.
First identified in 2015, Orangeworm is not a new group, but it has zeroed in on healthcare with 40% of its attacks aimed at the industry, according to a report released last week by Symantec.
Using Trojan.Kwampirs malware, the group has targeted vulnerabilities in X-ray and MRI machines that often run older operating systems like Windows XP. Unlike last year’s WannaCry attack, which exploited the vulnerabilities of older systems in a global attack, Orangeworm is far more selective and coordinated, an indication the group may be working for a specific client or engaged in corporate espionage.
“Based on the list of known victims, Orangeworm does not select its targets randomly or conduct opportunistic hacking,” Symantec analysts wrote. “Rather, the group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack.”
The imaging suite is widely known as “the worst offender in terms of having outdated systems,” according to John Nye, senior director of cybersecurity research and communications at CynergisTek, a healthcare cybersecurity and information management consulting firm based in Mission Viejo, California. He noted that the malware used by the group is “very loud,” but preys specifically on vulnerabilities in Windows XP.
“[Hospitals] have no control over the devices themselves,” Nye said, noting that imaging devices are often leased from manufacturers and come with preloaded operating systems. “Even if they know this MRI has a horribly insecure system, there’s nothing they can do about it. It's still on their network and the bad guys know it.”
The sheer number of vulnerabilities is likely what makes healthcare such an appealing target for the group. Nye says Orangeworm may be targeting specific hospitals and even specific patients to blackmail individuals or use information for targeted spearfishing campaigns.
Device vulnerabilities aren't limited to the imaging suite, however.
“Depending on the statistics provider, the average patient in a hospital bed has between 10-15 health tech devices,” Terry Ray, chief technology officer at Imperva, said in an email. “Unfortunately, most of these are legacy devices which have very little, if any, security controls in place.”
Healthcare providers can take several measures to protect their network and limit the scope of an attack by ensuring malware signatures and antivirus programs are up-to-date. Segmenting the hospital network to isolate vulnerable devices can prevent a larger attack.
Ultimately, however, more needs to be done at the federal level or in Congress to address cybersecurity vulnerabilities within legacy devices.
“We were at an inflection point where something needed to be done five years ago,” Nye said. “Now we're at a crucial emergency point.”