Hacking activity targeting the healthcare sector continues to rise. New security research just released by Symantec has identified a global hacking group called ‘Orangeworm’. Though its targeted victims accounted for a small number of organisations in 2016 and 2017 (mostly in the USA and Asia), some were identified as being based in Europe. Analysis by industry has revealed that the healthcare sector is Orangeworm’s primary target, with 39% of hacking outcomes manifesting themselves in this data rich sector which includes hospitals and pharmacies.
Symantec said, “Based on the list of known victims, Orangeworm does not select its targets randomly or conduct opportunistic hacking. Rather, the group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack”.
Orangeworm’s wormable trojan, named ‘Kwampirs’ is able to vet the data to determine if the computer is used for research, or contains high value data targets eg. patient information. The Kwampirs then create a backdoor on compromised computers, enabling the hackers to remotely access equipment and steal sensitive data – and Orangeworm survives reboots.
The trojan worm has a penchant for machine software on critical hospital equipment which includes kit like x-ray machines and MRI scanners, as well as machines used to assist patients in completing consent forms. If the ‘victim’ computer is of interest, the malware then “aggressively” spreads itself across open network shares to infect other computers within the same organisation and uses built-in commands to grab data. This includes “any information pertaining to recently accessed computers, network adapter information, available network shares, mapped drives, and files present on the compromised computer.”
The supply chain is a key part of this vulnerability funnel, with targets including manufacturers providing medical devices and technology companies offering services to clinics, plus logistics firms delivering healthcare products.
Director of Technology, Security & Governance, JP Norman advises: “Ensure your anti-malware provider can detect Kwampirs activity and to prevent and detect an infection, ensure that:
• A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
• All operating systems, anti-virus and other security products are kept up-to-date.
• All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
• Strong password policies are in place and password reuse is discouraged.
• Network, proxy and firewall logs should be monitored for suspicious activity.
• User accounts accessed from affected devices should be reset on a clean computer.”
Sales Director, Les Keen added, “Where there is the option for healthcare / supply chain organisations to prioritise IT funding, updating the Operating Systems is a primary, as is ensuring a strong and regular policy on Patch Management. Our Sales and Security teams are always on hand to review and audit organisational IT infrastructure and offer holistic remediation advice as part of our security readiness programmes. Just call us on +44 2380 429429”.