Orangeworm is a group of attackers who are purposefully targeting
organizations in select industries. The healthcare industry has accounted
for 39.8% of the total attacks launched by this group, with 17% of those
attacks targeted U.S based healthcare organizations. This group is also
targeting suppliers of hospitals such as consultancies, device manufacturers
and IT organizations.
The motivation of this attack and the allegiance of this group is currently
unknown. Attempts to identify the group are underway but little progress
has been made. It is premature to speculate if the group is part of a
nation-state, organized criminal element or terrorist group. What is
known is that the group is selectively targeting organizations in healthcare
and specific medical devices within the organization.
Orangeworm is based on the Kwampris malware which was first introduced in
2015. The group has evolved this trojan adding polymorphic capabilities
to how it establishes command and control. Currently the attack is
launched against a medical device and the payload performs reconnaissance of
the medical device as well as the network. Information related to the
network and the devices then appears to be sent to a variety of command and
control servers. To date there is no indication that the attack
exfiltrates patient data or images, but it does appear that intelligence is
sent to the attackers. Further there is no indication that this attack
alters the state of the device.
ITEMS TO CONSIDER
This attack has gained a good amount of momentum in the past weeks. Given
the tactics employed by the attackers we believe they are performing advanced
staging for additional attacks and compromise. This could be part of a
criminal organization who intends to utilize this vector as a
espionage-as-a-service program or a terrorist organization who may employ cyber-munitions
at a later date.
THINGS TO DO
1. Medical Device Exposure Assessment – It is critical to determine what
devices are external facing and validate who they are communicating with.
It is also important to understand the operating system running the device as
this attack seems to target Windows based systems.
2. Monitor Device Operations – It is important that you educate clinical
engineering teams in regard to this threat. Any reported anomaly
(rebooting, slowness, change in behavior) should be reported to your IT
3. Supply Chain Considerations – You should reach out to your supply chain
partners in order to understand their awareness of this threat. In many
cases the payload is being delivered through a supply chain interaction.
Medical device manufacturers are not the only ones being targeted by this
group. This attack is compromising IT vendors who commonly work with
4. Network SMB Shares – You must review your SMB shares and assure that you are
minimizing exposure. Assure that any required shares are correctly
patched, and you have appropriate security controls in place.
5. Windows XP – If you have any Windows XP (HIM, RIS, Lab, RCM, Faxing, etc.)
in your environment, you should take extreme note of this attack. This
attack is extremely friendly to Windows XP environments.
6. Log Analysis – You should examine logs for communication to C&C
servers. If you would like a list of those servers, please contact
Sensato at firstname.lastname@example.org
As with any briefing, it is important that you validate this information as
things change quickly and your environment, resources and challenges cannot be
considered when information of this nature is presented.
THINGS TO KNOW
What should we tell executives?
Executives should be advised that Orangeworm may create a
resource challenge as you attempt to validate the right strategy. That
this attack does create challenges for the organization overall but it is a
targeted and selective attack at this point.
We would also recommend advising executives that there is a heightened sense of
risk due to the number of devices affected and challenges regarding the right
How prevalent is the threat?
The attack is selective with the majority of attacks being against U.S based
healthcare providers. This creates heightened risk for U.S hospitals and
What is the real risk to healthcare?
Healthcare organizations are especially vulnerable due to the focused nature of
this attack. We believe this attack will expand to include VOIP, HVAC, O2
Systems and other IOT devices. You should take this attack seriously.
What if we become a victim?
1. Determine the attackers point of entry as quickly as possible and close that
2. Activate IR Team
3. Consider isolation of the affected system
4. Remove patients from affected devices.
5. Notify FBI, DHS, FDA
and Sensato immediately.
6. Preserve evidence.
What is the impact to humans and operations?
If you are attacked there is currently no known impact to the device.
That stated, we would highly urge you to remove the device from you network and
isolate the device from patient care and other devices.
Where can we get further details?
The Sensato-CTOC can provide further details as they become available.
Please contact your Sensato primary point of contact if you require any
assistance or email us at email@example.com