Corporate Espionage Hits Healthcare Sector with Orangeworm Attacks

By Trenton Baker, Senior Product Marketing Manager, KeepItSafe
Twitter: @keepitsafe

The healthcare industry has seen its fair share of ransomware attacks over the past year, with six of the top ten breaches in 2017 a direct result of a malware attack. With a new year, the threats and frequencies of ransomware attacks continue to escalate with data breaches and HIPAA violations across the nation. In no particular order here is a collection of recent 2018 incidents:

  • Breach: 30,000 consumers of medical device manufacturer, Inogen affected.
    • Cause: Employee email account compromised for two months by foreign cybercriminals.
  • Breach: 85,000 patients in California-based Center for Orthopedic Specialists.
    • Cause: Ransomware attack occurred due to vulnerabilities of an IT vendor.
  • Breach: $418,000 HIPAA fine against New Jersey firm, Virtua Medical.
    • Cause: Misconfigured server leads to 1,650 patient ePHI records accessible online.

As if the healthcare sector didn’t have enough to worry about with employee error, hardware failures, unsecure managed IT vendors or non-compliant HIPAA cloud storage service providers, there is a newcomer to add to the list of social engineering, hacktivism, and ransomware concerns.

Meet the Orangeworm Cybergang
Malware experts known as Orangeworm are targeting the networks of healthcare firms, pharma companies, and equipment manufacturers, including some X-ray and MRI machines. The cybersecurity firm Symantec has unearthed the Orangeworm hacking group targeting the healthcare industry. These recent attacks have hit companies in more than 20 countries with the leading infection rate in the U.S. at 17 percent.

“The group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack.”- Symantec.

This recent increase in attacks tends to be centered on the long play malware strategy as opposed to spray and pray ransomware attacks. Due to a missing ransomware component and that these attacks target the healthcare industry, it is surmised the Orangeworm clan’s end game is to conduct corporate espionage and is unlikely to be a state-sponsored action.

Symantec research shows up to 40% of breaches directly attack healthcare entities, while the remaining 60% of victims reside in secondary targets linked to the healthcare industry. These other industry sectors include manufacturers producing medical imaging devices sold to healthcare firms, IT vendors offering services to medical clinics, and even logistical organizations delivering healthcare products.

Vulnerable Healthcare Records
The malware payload consists of a custom backdoor known as the Trojan.Kwampirs that provides an attacker with remote access to a compromised computer. Once Orangeworm has penetrated a network, the Kwampirs malware is executed to decrypt and extract a copy of its main DLL. Before writing the payload, it inserts a random string into the decrypted payload in an attempt to evade detection and ensure that the payload is then loaded into memory upon system reboot.

Kwampirs primarily includes instructions for collecting information on system and network data, running processes, system services, network shares, account policies, and domain admin accounts. These data collection symptoms help to form the conclusion that the Orangeworm is a group intent upon conducting corporate espionage and learning how certain processes and devices work, as opposed to typical ransomware data extortion. In addition to infected MRI and X-Ray machines, Kwampirs has also been detected on patient consent forms devices.

“The cloud security market will be valued at impressive $8.71 billion by 2019.” – MarketsAndMarkets.

Healthcare Cloud Storage
A cloud backup service can be the best solution for a comprehensive data backup and disaster recovery (BDR) plan. Data breaches and malicious attacks are inevitable, but following data protection best practices and adhering to industry compliance regulations, your company can maintain strong encryption levels and a solid defense against the efficacy of malicious attacks.

The cloud in all its glory and capabilities is only as secure as its weakest link. Clearly, HIPAA-HITECH regulations are designed to govern how the healthcare industry collects, stores, and transmits protected health information. Unfortunately, backdoor malware attacks and employee errors can lead to unintended data breaches. For healthcare organizations, compliance can be a costly concern, but a holistic, continuous data protection (CDP) strategy should be defined as backing up to compliant cloud vaults, encrypting data-at-rest, and allowing for secure data restores.

Healthcare Data Protection
Healthcare-centric MSPs have the choice of cloud service providers (CSP) running the gamut from no-frills consumer-grade cloud solutions to enterprise-class custom cloud solutions. Low-cost offerings are feasible for limited file backups without services for backing up database files, applications, or performing system state backups. The more robust cloud providers deliver additional backup options for database files, system files, virtual machine applications, and even video files. These full-service CSPs commonly offer additional business services such as disaster recovery, mobile device and endpoint protection, and SaaS application backups for Microsoft Exchange, Office 365, Salesforce, SharePoint, etc.

Although one would assume that enterprise-level cloud providers would be able to handle all aspects of a healthcare organization’s backup needs, this is not always the case, as evident in the Center for Orthopedic Specialists case mentioned earlier. Specific database applications require backups in a distinct way that ensures database consistency and not every high-end cloud backup provider can support a diverse infrastructure; such as support for non-SQL databases or other SaaS applications. Obviously, a healthcare IT vendor should meet your data protection standards but also be able to prove HIPAA-HITECH compliance, be willing to sign a custom-tuned Business Associate Agreement and offer an acceptable service level agreement. Remember: storage is cheap, but data is valuable.

Since not all cloud backup services are equal, it is imperative to that you measure your backup service of choice against the required industry regulations and review their compliance record, data availability, and security metrics.

This article was originally published on the KeepItSafe blog and is republished here with permission.