This article is more than 1 year old

Medic! Orangeworm malware targets hospitals worldwide

Hacking campaign goes after care providers and equipment

If there's one thing security vendors love it's a catchilly-named piece of malware to whip up fervor over, and boy is it a good day to be Symantec.

The company on Monday introduced the world to Orangeworm, a particularly nasty hacking operation that has been mainly attacking companies in the healthcare field. The operation is said to rely largely on the Kwampirs malware, a back-door trojan allowing the attackers to remotely access a machine and then spread over a local network.

The attack is believed to have been operational since at least January, 2015 and claims most of its victims (17 per cent) in the US, with additional infections spotted throughout Europe and Asia.

Researchers believe the malware is looking to get into sensitive medical information in carefully selected-targets, though they aren't sure exactly what the ultimate aim of Orangeworm is.

Doctor Nick Riviera

Hospital injects $60,000 into crims' coffers to cure malware infection


In addition to healthcare companies, Orangeworm's Kwampirs malware has been found running on manufacturing systems and IT provider machines, though Symantec believes those infections are intended as a way to gain access to healthcare companies that would contract with health providers.

"According to Symantec telemetry, almost 40 percent of Orangeworm’s confirmed victim organizations operate within the healthcare industry," Symantec notes.

"The Kwampirs malware was found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. Additionally, Orangeworm was observed to have an interest in machines used to assist patients in completing consent forms for required procedures."

If there is one bit of good news, it's that Orangeworm and its Kwampirs trojan are not particularly discreet. The malware tends to perform easy-to-detect activities, such as pinging a long list of command and control systems and trying to copy itself over network shares, once infected.

This, Symantec says, could simply be a reflection on the state of IT in healthcare.

"While this method is considered somewhat old, it may still be viable for environments that run older operating systems such as Windows XP," the company explains.

"This method has likely proved effective within the healthcare industry, which may run legacy systems on older platforms designed for the medical community. Older systems like Windows XP are much more likely to be prevalent within this industry." ®

More about


Send us news

Other stories you might like