Hackers Target X-Ray, MRI Machines in Healthcare Corporate Espionage


Cybersecurity researchers have identified a mysterious hacking group that has been targeting the healthcare sector and other related industries.

Dubbed ‘Orangeworm’, the attack group was first identified in January 2015 and has since been observed installing custom backdoors called Trojan.Kwampirs with large healthcare corporations in the United States, Europe and Asia. Victims include healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that cater to the healthcare industry.

Researchers at Symantec, who discovered the group, say Orangeworm’s motives are likely to be corporate espionage.

The group has secretly been delivering Windows-based malware to nearly 100 organizations over the past three years, with the largest concentration of victims based in the US at 17 percent. More specifically, hackers targeted legacy Windows 95 systems that can control X-Ray and MRI machines with malware that was capable of gaining remote access to a computer and even spread itself over a network.

“We believe that these industries have also been targeted as part of a larger supply-chain attack in order for Orangeworm to get access to their intended victims related to healthcare,” researchers added. “Orangeworm’s secondary targets include Manufacturing, Information Technology, Agriculture, and Logistics. While these industries may appear to be unrelated, we found them to have multiple links to healthcare, such as large manufacturers that produce medical imaging devices sold directly into healthcare firms, IT organizations that provide support services to medical clinics, and logistical organizations that deliver healthcare products.”

Orangeworm is thought to be a hacker or a group of lone hackers looking to steal patient information from healthcare organizations to make illegal gains on black markets. Patient information stored at pharma and healthcare organizations are commonly seen to be far more lucrative than user data from a financial institution.

Notably, researchers said Orangeworm does not fit or deploy the tactics, techniques and procedures used by the likes of a nation-state actor, although it is still seen as an advanced persistent actor (APT).

“There are currently no technical or operational indicators to ascertain the origin of the group,” Symantec added.

Image credit: Pixabay.