The Orangeworm Mystery Plaguing the Health Sector

by James Scott, Co-Founder and Sr. Fellow, ICIT

The International healthcare community is currently beleaguered by an obscured adversary with illusive motives. Supply chain attacks on healthcare providers, pharmaceutical companies and medical sector information technology solution providers and equipment manufacturers via phishing emails first emerged in January 2015. The majority of the hundred attacks remain focused on the health sector (39%). Recently Orangeworm has evolved to compromise secondary targets including manufacturing (15%), information technology (15%), agriculture (8%) and logistics (8%) [1]. Analysis of secondary targets revealed that each had multiple links to healthcare, such as large manufacturers that produce medical imaging devices sold directly into healthcare firms, IT organizations that provide support services to medical clinics, and logistical organizations that deliver healthcare products [2]. It has also targeted specialized organizations, such as a company that makes labels that go on prescription bottles [3].

Symantec discovered the Orangeworm malware planting the custom remote-access Trojan.Kwampirs backdoor on X-ray machines and magnetic resonance imaging machines, and other medical computers to steal information from healthcare providers in at least twenty-four countries including the United States, Europe, and Asia. Kwampirs decrypts and extracts a copy of its Dynamic Link Library, inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections, and then writes its payload to disk. To ensure persistence, Kwampirs creates the “WmiApSrvEx” service to ensure that the main payload is loaded into memory upon system reboot [1]. The backdoor collects rudimentary details about victim host including basic network adapter information, system version information, and language settings. The information may be used to determine if the victim system is used for research or is a high-value target. If the system is deemed valuable, then Orangeworm aggressively copies the backdoor across open network shares to infect other computers. Kwampirs uses a fairly aggressive means to propagate itself across a victim’s network by copying itself over network shares; the attacker exhibits no concern about discovery. While this method is considered outdated, it may still be viable for environments that run older operating systems such as Windows XP. This method has proven effective within the healthcare industry, which may run legacy systems on older platforms designed for the medical community. Older systems like Windows XP are much more likely to be prevalent in the industry. Hidden file shares where it may copy itself include “ADMIN$,” “C$WINDOWS,” “D$WINDOWS,” and “E$WINDOWS.” Kwampirs then gathers data to send back to a command-and-control server, including information about recently accessed computers, network adapter information, available network shares, mapped drives and files present on the compromised computer [2].

Exact motives for the attacks remain unclear. Based on the list of known victims, Orangeworm does not select its targets randomly or conduct opportunistic hacking [2]. The attacks are precisely targeted with victim systems carefully and deliberately infected after significant reconnaissance [1]. Orangeworm appeared to have an interest in machines used to assist patients in completing consent forms for required procedures [2]. According to Symantec, little has changed with the internals of Kwampirs since its first discovery indicating that previous mitigation methods against the malware have been unsuccessful or that the attackers have been able to reach their intended targets despite defenders being aware of their presence within their network. The attacker attempted to keep the infections active for prolong periods, indicating a drive to study the infected systems and surrounding network. There was no clear evidence that the malware featured cyber-kinetic capabilities. Though the malware has been active for years, little is known about the attacker. Symantec believes that threat actor is an individual or small collective [1]. The adversary intends to collect information across the entire healthcare supply chain. It is corporate espionage that is not conducted for the sake of sabotage, the destruction of equipment, or financial gain. One theory is that the group may be part of a more extensive apparatus that has gained access to proprietary source code or IP and is conducting surveillance to ascertain how the health organizations operate. It is also possible that in the future, Kwampirs will download additional malware that is capable of cyber-kinetic attacks, of modifying or deleting data, etc. Whatever the motive behind the campaign, it behooves health organizations to modernize their systems away from Windows XP and other outdated operating systems and to push their software vendors to prioritize security over ease-of-use [3].


[1] Riley, D. (2018). Orangeworm targets X-ray machines and MRIs in latest healthcare hacking attack – SiliconANGLE. [online] SiliconANGLE. Available at: [Accessed 8 May 2018].

[2] (2018). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. [online] Available at: [Accessed 8 May 2018].

[3] Seals, T. (2018). Orangeworm Mounts Espionage Campaign Against Healthcare. [online] Threatpost. Available at: [Accessed 8 May 2018].

Leave a Reply