A mysterious hacking group has been spying on the healthcare sector by going as far to infect computers that control X-ray and MRI machines with malware.
Fortunately, sabotage and patient data collection doesn't appear to be a motive behind the hacking. The attackers were probably focused on corporate espionage and studying how the medical software onboard the computers worked, the security firm Symantec said on Monday.
Over the past three years, the hacking group Orangeworm has been secretly delivering the Windows-based malware to about 100 different organizations, said Jon DiMaggio, a security researcher at Symantec. The biggest number of victims, at 17 percent, have been based in the US.
The hackers have been particularly interested in legacy Windows 95 systems, which can end up controlling the X-ray and MRI machines, he said. The malware used was capable of taking remote control over a computer, and spreading itself over a network.
Evidence shows that the hackers were focused on collecting data about the infected computers and their networks. DiMaggio speculates this may have been done to learn how to pirate the medical software onboard.
It isn't clear how the malware was delivered, but Symantec suspects phishing emails were probably used.
Although what Orangeworm wanted isn't fully known, the group has been targeting the entire healthcare supply chain. The victims have included healthcare providers, medical equipment manufacturers, IT organizations that offer support services, and logistic companies that deliver the products to clients. For instance, an infection at a pharmaceutical software vendor that prints labels on bottles was what sparked Symantec's investigation into the hacks.
However, Symantec is refraining from blaming the spying on state-sponsored cyberspies. One big reason is because the hacking has been "noisy" and easy for security researchers to spot —a trait that doesn't match with sophisticated government hackers. Instead, it's more likely that Orangeworm is a corporate entity or hackers-for-hire, DiMaggio said.
Symantec has worked with the victims to clean up the infections, but the whole incident underscores how vulnerable any organization can be. Imagine if the hackers had installed memory-wiping malware on the computers, DiMaggio said.
"This is sort of a wakeup call. It could be much worse next time," he added.
DiMaggio encourages businesses to patch legacy systems when possible and to split corporate networks into smaller, securer subnetworks in what's called "network segmentation" so that they can protect themselves from future attacks.