Under-Equipped, Under Siege: Healthcare Faces New Attacks, Old Headaches

As if it didn’t have enough to worry about, the healthcare industry is being stalked by a mysterious new adversary.

Last last month, Symantec identified a new attack group, dubbed Orangeworm, that deployed the Kwampirs backdoor in a targeted attack campaign against the healthcare sector and related industries in the United States, Europe, and Asia.

While the identity of the attack group still remains unclear, the perpetrators have demonstrated both sophistication and a highly-organized approach in their attempts to collect information on their targets in the healthcare supply chain. Symantec telemetry found that almost 40 percent of Orangeworm’s confirmed victim organizations operate within the healthcare industry.

What’s more, theirs isn't a scattershot approach; rather, the group spends considerable time gathering information about targeted systems and networks. Although their motives remain unclear, the evidence left behind suggests their intent is corporate espionage, rather than data theft or sabotage. These highly-targeted attacks also appear designed to be reconnaissance and information-gathering missions, such as gathering lists of files on the drive of an infected machine.

This sort of attack also was the initial infection vector for the Petya/NotPetya malware, which used a Trojanized update for a Ukrainian accounting software to infiltrate corporate networks, before later spreading worldwide using the EternalBlue exploit and other methods.  

The Kwampirs malware was discovered planted on sophisticated machines such as X-Ray and MRI machines. Additionally, Orangeworm was observed to have an interest in equipment used to assist patients in completing consent forms for required procedures.  

After infiltration of the network, Trojan.Kwampirs, a backdoor Trojan, provides attackers with remote access to compromised computers. The backdoor collects rudimentary information about the compromised computers to determine whether the system is a high-value target. At that point, Kwampirs can spread rapidly across old Windows networks. The healthcare industry is particularly at risk due to the presence of so many older computers that still run Windows XP.

Something Old, Something New

This attack method also reflects an increasingly popular strategy in which attackers go after organizational supply chains, injecting malware implants to infect unsuspecting victims. Indeed, Symantec found an average of one supply chain attack occurred every month last year, compared to four attacks annually in previous years. These types of attacks allow attackers to infiltrate well-protected networks by exploiting weak links in their software supply chain.

While Orangeworm focused primarily on the healthcare industry, its secondary targets were found to have multiple links to healthcare within the manufacturing, information technology, agriculture, and logistics industries - whether that be the supply of medical imaging devices or support services to medical clinics, and logistical organizations that delivered healthcare products.

Even though these verticals have a better cyber security track record than healthcare, they remain highly vulnerable; as Symantec’s most recent Internet Threat Report notes, attackers are able to spread malware through already established distribution channels and so “compromise a large volume of computers in a short period of time, especially if the compromised software has an automated update mechanism.”

In the Crosshairs

Cyber criminals have had the healthcare industry in their crosshairs for some time now. Assailants carried out a well-publicized attack against the Hollywood Presbyterian Medical Center in Los Angeles, Calif. a couple of years ago, successfully holding the facility’s computer systems hostage until the hospital paid a $17,000 ransom in bitcoins. Copycats, lured by the prospect of scoring quick and easy returns on their investment, followed with their own ransomware attacks throughout the remainder of 2017 against other healthcare institutions.  

Hospitals are expected to continue to get singled out for attack this year. Not only do they have more to lose  - critical care providers need to maintain uninterrupted access to patient data, which can literally can be a matter of life and death - but some institutions may be tempted to pay out ransoms.

Also, the potential returns are relatively high. Personal health information can be 50 times more valuable on the black market than, say, stolen financial information with patient health records found to be selling for as much as $60 per record.

For the interim, all this suggests the bad guys will keep attacking what they consider to be an easy target. Many health care institutions rely on insecure, legacy computer systems that are vulnerable to skilled cyber attackers. There’s just plainly plainly more to maintain when it comes to healthcare infrastructure. However, a report issued earlier this year by Symantec and HIMSS Analytics found that the majority of healthcare providers spend less than 6% of their IT budgets on cyber security. By comparison, the finance industry typically tends to spend 10 to 12% of its IT budget on security.

“Diversity comes at cost,” says Symantec Technical Architect Axel Wirth, adding that “from a security perspective that’s a problem because in security, diversity in your enemy.”

If you found this information useful, you may also enjoy:

• New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia
• Healthcare Cyber Security: Is That Light at the End of the Tunnel?
• 3rd Annual Healthcare IT Security & Risk Management Study
• 2018 Symantec Internet Threat Report