>samit_hota
Back to adversary profiles
G0071HighActive

Orangeworm: Healthcare's Silent Threat

Samit Hota·
Suspected Origin
Unknown
Motivation
Espionage, Information Theft
Aliases
None documented
Target Sectors
Healthcare, Pharmaceuticals, IT, Manufacturing, Logistics, Agriculture
Associated Malware
Kwampirs, Shamoon (overlaps)
#threat-actor#g0071

Overview

Orangeworm, tracked by MITRE ATT&CK as G0071, is a persistent and highly focused threat actor group that has been active since at least 2015. Their primary objective appears to be corporate espionage, with a distinct focus on the healthcare sector across the United States, Europe, and Asia. Unlike many financially motivated groups, Orangeworm’s activities suggest a deliberate effort to acquire proprietary information, possibly concerning medical equipment functionality or patient data, for commercial purposes rather than immediate financial gain through ransomware or direct theft of payment card data. While their exact origin remains unconfirmed, analysis suggests they are likely not a state-sponsored entity, but rather a skilled individual or small collective.

The group distinguishes itself through carefully planned, targeted campaigns rather than opportunistic attacks. Their approach often involves supply chain compromises, leveraging trusted relationships to infiltrate organizations connected to the healthcare industry, such as IT solution providers for healthcare, medical equipment manufacturers, pharmaceuticals, and even logistics and agricultural firms that have ties to the sector. Once inside, they’ve shown a particular interest in devices like X-ray and MRI machines, as well as systems handling patient consent forms.

Tactics & Techniques

Orangeworm employs a range of tactics and techniques to gain and maintain access, move laterally, and exfiltrate data from targeted networks. Their initial access often stems from supply chain attacks, exploiting trusted vendor relationships to establish a foothold.

Once they have infiltrated a network, their custom backdoor, Kwampirs, is typically deployed. To maintain persistence, Kwampirs is known to create a service named WmiApSrvEx. The group exhibits a sophisticated understanding of defense evasion, modifying file timestamps (MACTimes) of their malicious files to align with legitimate system files like user32.dll. Furthermore, to bypass hash-based detections, Kwampirs inserts a randomly generated string into its decrypted payload before writing it to disk.

For lateral movement, Orangeworm is notably aggressive, copying the Kwampirs backdoor across open network shares, including ADMIN$, C$WINDOWS, D$WINDOWS, and E$WINDOWS. This method, while considered dated, has proven effective within the healthcare sector, which often relies on legacy systems, including older operating systems like Windows XP.

Their discovery tactics involve extensive information gathering. They collect basic network adapter details, system version information, language settings, recently accessed computers, available network shares, mapped drives, and file listings. The group has been observed executing commands like ipconfig, net, netstat, route, and systeminfo to aid in reconnaissance. This information is likely used to assess the value of a compromised system and to identify further high-value targets or research environments.

For command and control (C2), Orangeworm uses HTTP. They attempt to evade C2 detection by incorporating a high degree of jitter, specifically a 40% deviation from a 45-second beacon interval, in their network traffic. Despite these efforts, the underlying C2 communication protocol has remained consistent since its inception. Kwampirs also utilizes an extensive, though not always fully active, list of C2 servers, continuing to beacon until a successful connection is established.

Notable Campaigns

Orangeworm’s activities have primarily been identified through their consistent targeting of the healthcare sector since January 2015. While no specific, named campaigns are widely publicized beyond their general operational focus, their sustained presence and consistent methodologies across a global target set (US, Europe, Asia) constitute a long-running campaign of corporate espionage. The distinctive use of their Kwampirs backdoor and its functional overlaps with Shamoon malware are defining characteristics of their operational footprint.

Reports highlight their methodical approach to target selection, often using supply chain intrusions to reach their ultimate healthcare targets. This suggests a significant amount of pre-attack planning and reconnaissance to identify vulnerable links in the supply chain.

Associated Malware & Tools

The primary tool in Orangeworm’s arsenal is Kwampirs (detected by Symantec as Trojan.Kwampirs), a custom-built backdoor Trojan. Kwampirs provides remote access to compromised machines, enabling information gathering and further malicious actions. Its functionalities include collecting system information, managing persistence, and aggressively propagating itself across network shares. Notably, Kwampirs includes a reporter module designed to upload host information and download additional payloads from command and control servers.

Intriguing research has uncovered significant functional and developmental overlaps between Kwampirs and the destructive Shamoon malware. Analysis by Cylera Labs indicated that Kwampirs likely derived from Shamoon 1, and subsequent versions of Shamoon (like Shamoon 2) inherited code from Kwampirs. This suggests a close relationship, potentially even the same developers or highly collaborative groups, despite Shamoon’s known attribute as a destructive wiper and its attribution to Iranian state-sponsored actors. However, Kwampirs itself does not contain the destructive wiper capabilities seen in Shamoon.

Current Status

Orangeworm has demonstrated a sustained operational tempo over several years, with initial activity detected in January 2015. While some reporting indicates activity “last seen” as of July 29, 2020, the group’s custom malware, Kwampirs, was reported to remain active globally as of April 2018, indicating ongoing attacks at that time. Given the consistent targeting of a high-value sector and the adaptability shown through its malware development lineage with Shamoon, it is reasonable to consider Orangeworm an active threat. Organizations, particularly within the healthcare sector and its supply chain, should continue to monitor for their distinctive TTPs and the presence of Kwampirs.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call