One of the experts who first discovered the hacker group says the attacks look like corporate espionage, not cyber warfare.
From a technical cybersecurity standpoint, Orangeworm is not that interesting. The group traffics in boilerplate malware, and it doesn’t try very hard to hide what it’s doing.
Why it’s probing healthcare’s technology supply chain, however, remains a mystery.
“This is not the most complex attack we’ve ever seen by any means,” Jon DiMaggio told Healthcare Analytics News™. DiMaggio is a senior threat intelligence analyst for the Symantec Security Response Team. Symantec made waves this week throughout the health industry (or at least its accompanying media) when it released a report this week about Orangeworm, an actor or group that has been installing Kwampirs malware in business machines in healthcare and other industries.
DiMaggio’s team first discovered the Orangeworm’s actions in 2016, tracing the group’s first appearance back to January 2015. If they had looked at the attacks in isolation, DiMaggio said, they’d have thought very little of them. But over time, the hacker’s targets started to portray a peculiar pattern.
“At first, it was very confusing. It wasn’t clear that this was the healthcare industry, because one of the first things we looked at was software for creating labels for prescription bottles. It’s a very odd target,” DiMaggio said. But then they found evidence of the group in attacks against pharmaceutical companies, medical device technology companies, and other healthcare-related software firms. It also found its way directly into some endpoint medical devices, like X-ray and MRI machines.
As basic as the malware is, it became clear to the Symantec analysts that whoever was behind the attacks had a pretty good idea of what they were doing. When they infected a machine, they’d use the Kwampirs backdoor to send back some context on what machine they had in their grasp. If they infected 100, DiMaggio said, they’d deem about 10 of them to be high-value and spend time—“a lot of time”—poking around, seeing which directories the computer had access to and which files were on the machine.
“It wasn’t just that this was infecting vulnerable machines; it was infecting machines that fit this theme, and they had a thought process and some goals,” he said. “When we've see things like that in the past, a lot of times it’s related to a nation-state actor.”
But the team ruled that out because the attackers have been “noisy.” Aside from North Korea, nation-state actors typically try to obscure their presence in a system. Orangeworm might have made it difficult to identify its malware’s origin, but the group made no effort to hide the fact that it was exporting information.
And it wasn’t looking at patient information—no protected health information or patient records appeared to be compromised.
So, what has Orangeworm been up to?
“From what we have, it was clearly information-gathering and learning these systems,” DiMaggio said. “It wouldn’t be that far out there to speculate that this is corporate espionage, whether they’re creating versions of the software, or whether it’s a hacker-for-hire that’s looking to provide another technology to another organization. But clearly the only benefit I can see from this is to learn these systems because you want to mimic or use a stolen version of it without having to put the money into development of research.”
Corporate espionage is only a theory at this point, DiMaggio added. But he didn’t pull that idea from thin air. Symantec, after all, has been tracking Orangeworm for the past 2 years.
The company waited to release its subsequent report because it wanted to ensure that victims were no longer vulnerable. But as deep as his team’s well of data may be, DiMaggio can’t know of every cyberattack. There may be other victims out there, and finding as many as possible might help create a more complete picture of Orangeworm’s actions and goals.
“We’re only seeing what we have visibility into. There are probably others out there,” he said. “And even if not, this is not going to be the last attack on the healthcare community. We felt it was important to get this information into the hands of the decision makers.”