Orangeworm hackers group attack the hospital’s X-Ray and MRI machines

Symantec cybersecurity researchers discovered a hacker group, Orangeworm, which launched a network attack on medical devices. The group installed Trojan worms on various types of computers that control high-tech medical devices in hospitals. Including not only X-ray machines and MRI machines, but also some computers that assist patients in completing various consent forms are also infected with malware.

The hacking organization has been active since 2015. Its main target is for multinational corporations in the United States and Europe. The target in Asia is mainly for medical institutions. After hacking into the network of medical institutions, a Trojan horse named Kwampirs will be installed on the computer, allowing hackers to remotely control the computer and obtain the data.

In the process of data decryption, Kwampirs will randomly generate a field in the main program’s dynamic link library (DLL), which can avoid being monitored by the hash, and it also stays in the background of the system and starts the service that is started automatically. The computer on which the Kwampirs malware is installed will communicate with the hacker’s remote server. The hacker will choose the appropriate hacking tool to steal the required data based on the operating system and value of the target computer.

If the target computer is of high value, Kwampirs malware will become more aggressive and spread to other computers in the same network. The cleverness of Kwampirs is that it does not use other command lines to control, and only use the commands that the system comes with to obtain the required data. The command line shown in the figure above can steal “any relevant information on the target computer, including network cards, available network shares, mounted hard disk partitions, and files”.

The study found that Orangeworm’s goal is 40% of medical institutions and pharmaceutical companies, in addition to IT industry, manufacturing, agriculture, logistics and other industries also have aggressive behavior. Of course, many of the latter industries are also indirectly related to the medical industry. For example, manufacturing refers to companies that manufacture related equipment for the medical industry; IT industry refers to companies that provide software services for medical institutions, and the logistics industry is also Various medical institutions provide related equipment and pharmaceutical transport service companies.

It is not yet clear what the motivation of Orangeworm is, nor does it know the history of the hacking organization. Symantec believes that the hacking organization is mainly for commercial espionage and has not yet discovered the connection between the organization and certain countries. Based on the current case finding, the organization will not randomly select the target of the attack. A detailed plan will be prepared before the attack is implemented. Most of the companies that have been attacked are in the United States, and some are in Saudi Arabia, India, the Philippines, Hungary, the United Kingdom, Turkey, Germany, Poland, Hong Kong, Sweden, Canada, and France.