Op-Ed: The Orangeworm Attacks — Why You Should be Worried

In yet another cyberattack aimed at the healthcare industry, a hacker group named Orangeworm recently targeted healthcare orgs in the U.S., Asia, and Europe. The attacks were aimed at computers that control X-rays and MRI machines, in addition to other medical devices. Yikes.

The Orangeworm attacks not only highlight vulnerabilities specific to the healthcare industry, but also shed light on overarching cybersecurity deficiencies that can affect other industries. After seeing increasing numbers of these kinds of attacks, it’s apparent how many businesses aren’t prepared for a major cyberattack. There are several key points that businesses need to immediately improve upon to prevent similar cyber breaches from happening.

What Are the Orangeworm Attacks?

The attacks utilize Trojan malware to install custom backend software called “Kwampirs,” which gives the hackers the ability to execute various commands and access additional modules. Once activated, the malware can add randomly generated string to its payload in order to avoid hash-based detection.

Kwampirs then copies itself across networks with the goal of infecting other medical machines and devices. According to Symantec, which released a report on the attacks, the incidents are likely motivated by corporate espionage.

Main industries affected by the attacks include:

  • healthcare (39% of known targets)
  • drugmakers
  • IT solution providers for healthcare companies
  • equipment manufacturers servicing the healthcare industry

Secondary targets included:

  • manufacturing
  • logistics
  • agriculture

Orangeworm may also have had an interest in machines used to help patients complete consent forms. This means patient privacy and confidentiality may also be an issue.

The Orangeworm cyberattacks are likely not state-sponsored, but rather an individual or group of individuals. We don’t see indicators at the moment regarding the group’s origin.

What Types of Cybersecurity Risks Do the Orangeworm Attacks Reveal?

The recent Orangeworm attacks speak volumes about lack of cybersecurity preparedness exhibited by companies in the healthcare industry and other sectors. In short, we feel many companies are not prepared for a cyberattack for the following reasons:

Companies Lack Cybersecurity Guidance

Word started getting out regarding Orangeworm threats as early as 2015. That’s 3 years, which in the cyber realm, represents ages in terms of new technologies and hacking techniques. Three years later, many healthcare organizations are still not prepared to defend against threats such as Kwampirs.

Part of the problem lies in a lack of education and leadership. There is an overall shortage of qualified cybersecurity experts and leaders who can train employees and IT teams on how to keep systems secure and updated. Without proper cybersecurity guidance, healthcare organizations often don’t know what risks they’re facing.

We’re excited to learn about new educational programs and curriculums that encourage students to pursue careers in cybersecurity and other related fields. In fact, one program in New York is making cybersecurity master’s degrees more affordable for the public.

On the other hand, until the next strong generation of cybersecurity experts emerges, cybersecurity remains a global responsibility, Businesses must keep top of mind in order to protect their assets. In the meantime, businesses need to take proactive steps now to ensure cybersecurity is a top priority.

We also feel there needs to be greater coordination between boards, executives and directors, and cybersecurity leaders. They should be mindful of previous incidents in related industires and understand that some threats may disappear only to later re-emerge in a more advanced form, as was the case with the Orangeworm hacks.

Cyberattacks Are Not Random

At first blush, cyberattacks may seem like they happen randomly. But according to reports, Orangeworm chose its targets very deliberately and conducted an impressive amount of planning before launching attacks. Specifically, Orangeworm’s list of secondary targets are of particular interest. These are industries which, upon closer inspection, support the healthcare industry in direct ways.

For instance, manufacturing targets composed 15% of Orangeworm’s victims. This includes large manufacturers that directly support the healthcare industry through the production and sale of equipment, including the medical imaging devices targeted by the malware.

This supports the notion that industry suppliers can be a major weak link in the cybersecurity chain. Thus, when assessing cyber risks and threats, companies should take a good look at:

  • how the supply chain is arranged for a particular business
  • which ancillary industries might affect the company
  • which supporting businesses might create additional cyber risks

While these questions might appear basic, they can shed light on the vulnerabilities that exist in a specific industry. The more you understand your place in the supply chain, the better protected you can be. Self-knowledge informs what type of target you are, why hackers might be interested in you as a target, and what types of targets your partners and suppliers might be.

Cyberattacks Exploit Gaps and Outdated Platforms

The Kwampirs malware exploited outdated platforms that many organizations in the healthcare industry still use. Older systems, such as Windows XP, created gaps in the overall security measures for healthcare organizations, thus increasing the risk of a data breach or cyberattack.

Generally speaking, cybersecurity tools may still be fragmented, and often don’t cover threats that can enter through vulnerabilities in antiquated operating systems. Complete, updated coverage is necessary, especially in the healthcare, legal, and financial sectors, which often use outdated software platforms.

The Future Depends on Strong Cybersecurity

Cyberattacks in the healthcare industry are particularly disconcerting not only because of the potential lost revenue, but also because people’s health and lives are at stake. It’s one of the reasons we’re so passionate about keeping industries safe and sharing knownledge transparently. The Orangeworm attacks should serve as a stark reminder for business and companies to make cybersecurity a priority, not an afterthought.

Attacks will continue to spread across supply chains and may affect various other critical infrastructure industries. Now is the time to bolster security efforts and devote the time and resources necessary for cyber preparedness.

Back to Blog