News & Analysis

Supply Chain, Healthcare Firms Face Cyberattacks

In the summer of 2018, Symantec had identified the Orangeworm virus that deployed a remote access trojan (RAT) to target healthcare providers and associated industries with the likely purpose of corporate espionage. It seems the FBI has evidence to suggest that a repeat attempt could be in the offing sometime now and warns companies to be alert.

A report published on ZDNet.com says that the FBI has sent a security alert to all American companies warning them of an ongoing hacking campaign on software providers working with supply chain companies and healthcare organizations. The report says that hackers were attempting to infect companies with the Kwampirs malware that was identified in 2018.

Two years ago, the same virus had affected healthcare providers, pharmaceuticals, IT solution providers for the healthcare industry, and equipment manufacturers who worked closely with patient care. Research had concluded that the purpose of the attack was to seek corporate data from the enterprises – a form of corporate espionage.

“Software supply chain companies are believed to be targeted in order to gain access to the victim’s strategic partners and/or customers, including entities supporting Industrial Control Systems (ICS) for global energy generation, transmission, and distribution,” the FBI said in a private industry notification sent out last week, the ZDnet.com report says.

Having described the range and the challenges that Kwampirs caused, Symantec had reported that the Orangeworm did not select its targets randomly or conduct opportunistic hacking. Instead, the groups appear to choose their targets carefully and deliberately, conducting a good amount of planning before launching an attack.

Which is what the FBI note is focusing on now, while not disclosing whether any enterprise has actually fallen prey to the malware till date. The federal agency has instead listed out the indicators of compromise or IOCs so that enterprises can get regular scans done of internal networks for signs of the Kwampirs RAT.

According to Symantec telemetry, almost 40 percent of Orangeworm’s confirmed victim organizations operate within the healthcare industry. The Kwampirs malware was found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. Additionally, Orangeworm was observed to have an interest in machines used to assist patients in completing consent forms for required procedures. The exact motives of the group are unclear.

It went on to suggest that the Kwampirs used aggressive means to propagate itself once inside a victim’s network by copying itself over network shares. While this method is considered somewhat old, it may still be viable for environments that run older operating systems such as Windows XP. This method has likely proved effective within the healthcare industry, which may run legacy systems on older platforms designed for the medical community. Older systems like Windows XP are much more likely to be prevalent within this industry, which perhaps makes enterprises in the SMB space more prone to attacks.

Additionally, once infected, the malware cycles through a large list of command and control (C&C) servers embedded within the malware. It appears while the list is extensive, not all of the C&Cs are active and continue to beacon until a successful connection is established.

Though the FBI hasn’t issued any security alert, the fact remains that by bringing it into public domain, the United States is sending out a warning to other countries to be on their guard. Maybe, enterprises in India too need to be aware of the challenges and have their security protocols tuned to go after the Kwampir RAT.

Leave a Response