An previously unknown attack group, dubbed Orangeworm by Symantec threat researchers, is installing the Kwampirs backdoor and is targeting the healthcare sector in the US, Europe and Asia. The backdoor is then used to install a remote access program, giving the attackers access to compromised machines.
According to a post by Symantec, known victims include healthcare providers, pharmaceutical companies, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry, likely for the purpose of corporate espionage. Almost four in five victims of the attack are in the healthcare sector with manufacturing and logistics also in the attacker’s sights.
The Kwampirs malware was found on machines which had software installed for the use and control of X-Ray and MRI machines as well as machines used to assist patients in completing consent forms.
The post by Symantec’s threat researchers details how the exploit works, where it can be found on compromised machines, what data it’s used to extract and the addresses of known command and control servers.
Older systems, running Windows XP, are particularly targeted. While support for that platform ended some time ago, it still remains present in the control software for many medical devices as patching or updating is considered too expensive or difficult and could render expensive medical equipment unusable.