‘Orangeworm’ hacking campaign hits X-ray and MRI machines

A newly disclosed hacking campaign has infected multinational healthcare firms through malware that has threatened X-ray and MRI machines, cybersecurity firm Symantec warned.
(Getty Images)

Malware from a newly disclosed hacking campaign has infected the networks of multinational health care companies, including some X-ray and MRI machines, cybersecurity firm Symantec warned Monday.

The hacking group, dubbed Orangeworm, has hit a relatively small number of companies in more than 20 countries, Symantec said in an advisory. Nearly 40 percent of Orangeworm’s victims are in the health care industry, the advisory said. Manufacturers and IT companies that do business in health care have also been infected.

Orangeworm’s custom malware has shown up on machines that control “high-tech imaging devices such as X-ray and MRI machines,” Symantec said.

The Orangeworm revelation adds to a slew of cybersecurity challenges, including ransomware, facing the health care sector. An Indiana hospital in January paid roughly $50,000 in bitcoin to hackers that held its computer system hostage.


Congress has taken notice of the sector’s vulnerabilities. House lawmakers on Friday issued a request for information asking industry for advice on securing old hospital equipment from hacking.

Orangeworm can exploit such outdated technology by spreading across older operating systems like Windows XP, according to Symantec. “Older systems like Windows XP are much more likely to be prevalent within [the healthcare] industry,” the firm said.

Like many persistent hackers, Orangeworm has preyed on the supply chain to reach a target. “Known victims include healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry, likely for the purpose of corporate espionage,” Symantec said.

Orangeworm’s malware hasn’t evolved much since its discovery and “attackers have been able to reach their intended targets despite defenders being aware of their presence within their network,” the advisory said.

Symantec referred to Orangeworm as a “group” throughout the advisory, but also said that it could be just one person. There is no indication that the hacking is affiliated with a nation-state, the firm said.


Whoever it is, they don’t seem too worried about being caught.

“Despite modifying a small part of itself while copying itself across the network as a means to evade detection, the operators have made no effort to change the [command and control] communication protocol since its first inception,” Symantec said.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts