Security researchers have discovered a new hacking group that is targeting healthcare organizations and other major international corporations related to this sector all around the world, and especially in United States, Europe, and parts of Asia. The intent of this group is to conduct corporate espionage. Researchers have named this hacker group “Orangeworm”. According to a recent report, this group has been active since early 2015, and its primary focus is the health sector.

Healthcare Hackers

How does Orangeworm work?

The healthcare industry has been targeted by Orangeworm to get access to patient’s records and to learn more about imaging devices. The hackers install a Trojan (dubbed by security researchers as “Kwampirs”) in computers used to control high-tech imaging devices like MRI and X-Ray machines. This allows the hackers to steal sensitive data and remotely access equipment by opening a backdoor in these compromised computers. It also infects machines that are used to assist patients in filling consent forms.

Kwampirs then takes some basic information from these compromised computers and sends it to the hackers to a remote command-and-control server. This server then determines if the hacked system is being operated by a high-value target or a researcher. If the server finds the victim to be of interest then the virus spreads itself across network shares and infects all the other computers in the same organization. The malware uses the system’s built-in commands to gather information about the victim’s compromised system and network instead of using enumeration tools and third-party reconnaissance.

Companies infected by Orangeworm

Almost 40% of companies infected by this malware belong to the healthcare sector while the rest of the organizations, although not belonging to the medical sector, are related to healthcare organizations. Other organizations infected with Orangeworm belong to companies in the agriculture, logistics, IT services, and manufacturing sector. According to researchers, hackers attempted a supply-chain attack to penetrate the software of healthcare organizations by infecting a service provider.

Profile of the hackers  

According to investigators Orangeworm does not fit the techniques, procedures, and tactics of a classic nation-state APT (advanced persistent actor) but it is still an APT. The most common observation is that Orangeworm is a single hacker or a group of lone hackers working to steal information about patients from healthcare organizations to sell on the black market. This patient information is considered to be more complete than customer data stored in financial or any other institution. Hackers gather as much information as they can about their victims such as network shares and user groups, configuration information, account policy information, list of directories and files, running system process and systems, accounts with admin access and the like.

If the virus detects something of value in the system, Kwampirs will copy itself, propagate across the network and infect other computers. Investigators are of the opinion that the hackers are working on some sort of espionage on the sector as they do not appear to be copying any data from the network.

The hackers are not concerned about being detected as they are using lateral movement methods that are thought to be noisy and antiquated. In spite of this, it took investigators three years to disclose and identify the group’s attacks. According to investigators, the reason why this malware went undetected for so long is that the healthcare organizations usually use computers that are old and have software that is rarely updated, doesn’t have an antivirus, and are therefore easy to hack.

According to experts, hackers employed a similar pattern in all the attacks that were carried out. They infected one computer with Kwampirs, and then proliferate to others. This ensured them remote access to every infected host. The hackers spread the virus to as many systems possible that is why the malware has also infected the computers that control the medical devices.

Security concerns

According to the findings of a detailed report on the group’s method of operation, hackers have made no efforts to update the virus since the first attacks which suggest that the attackers are either stupid or supremely confident about never getting caught.

These attackers are bold as their methods have proved very effective. Security researchers have been stressing for a long time the need to install security measures to safeguard the weakened ports. Medical devices have been targeted before also. Recently, WannaCry ransomware also targeted hospitals all around the globe.

Even though the motives of Orangeworm are unclear and investigators have been unable to find the group’s origins, they are of the opinion that the group is conducting espionage for personal gain and commercial purposes. They have been unable to find any significant evidence suggesting that a nation-state backs it.

Although, Orangeworm is not the first or the last malware to hit the healthcare organizations it is imperative that these organizations routinely search and monitor their computer systems to make sure that their devices are safe from such attacks.


eSOZO Computer and Network Services

4 Walter E Foran Blvd
Suite 301
Flemington, NJ 08822Phone: (888) 376-9648 Email:


Our Services
Real Time Analytics