Cybersecurity Blog

Cybersecurity researchers from across Georgia Tech and the Georgia Tech Research Institute share their thoughts about emerging threats, trends, and technologies in the constant fight to secure data and information systems. Read what's capturing their attention and new insights they offer about cybersecurity topics in the news.

Blog entires are aggregated monthly into the Source Port newsletter, with additional research and updates from Georgia Tech. Source Port is published on the first business day of the month.


Orangeworm Proves How Cyber Damage Can Be Done to Those Not Using Computers

April 26, 2018  |  By Panagiotis Kintis

For the past few years, a new attack group, dubbed "Orangeworm," has been deploying malware that is found to target the healthcare sector around the world. According to Symantec, the hacker group has been targeting organizations as part of a broader supply-chain attack against the healthcare industry. After a network has been infiltrated, a trojan named Kwampirs is being used by the attackers to collect information about the compromised hosts. If the hosts are of interest to Orangeworm, the malware starts deploying itself to other hosts in the same network, trying to gain access to as many systems as possible. Unsurprisingly, the malware was identified on devices that control high-tech medical equipment, like X-Ray and MRI machines, and several terminals used by patients.


IISP Analyst Panagiotis Kintis: "The highly targeted nature of the attack shows that adversaries are not only using sophisticated techniques to facilitate Advanced Persistent Threats (APT) to one -- or a few -- targets, but they have started focusing their efforts on broader sectors. This time, we see a group attacking an entire industry on three different continents and trying to take control of computer systems that operate highly sophisticated medical equipment. The healthcare sector is part of the critical Infrastructure and compromises can be devastating.

While we have seen attacks focusing on the critical infrastructure before, they have been limited to a few businesses within one or more sectors. The novelty of Orangeworm's operation demonstrates that even broader attacks can be rendered against arbitrary targets to affect an entire industry. Moreover, according to Symantec's assumption of a supply-chain targeting model, we might be witnessing adversaries who are determined to maximize their damage across a sector.

This is one of the few cases were even a small attack against a sector like healthcare can have disastrous outcomes for individuals, even when they do not operate a computer. Computer terminals used by patients at hospitals can leak private information, including medical records and insurance or banking information. This can easily lead to insurance and banking fraud, even identity theft. Unfortunately, such attacks grow even worse: X-Ray and MRI machines that are rendered unusable can result in the loss of lives when the equipment is critical for patient care. One can argue that backup and contingency plans should be or are in place. However, as long as computer systems are involved in the way healthcare professionals perform, there is always a potential for failure. We saw that Orangeworm made sure to take control of as many systems as possible within a network.

Advanced threats and attacks, like the one described, need to be identified and mitigated as soon as possible. At this point we are talking about the possibility of losing human lives. If a small group of hackers can render such attacks, I cannot imagine what a state-sponsored actor could potentially do."


Our Past 10...

Just Pay the Bad "IT Tax"
Mar. 28, 2018

New Cyber Report a Handy Reference of Govt Directives
Mar. 28, 2018

Lt. Gen.Paul Nakasone to Head NSA/CYBERCOM
Mar. 28, 2018

Nine Iranian Hackers Charged with Stealing Massive Dataset through Spear-phising Attacks
Mar. 26, 2018

Vulnerabilities in AMD Chips Highlight Trend Toward Hardware-based Attacks
Mar. 15, 2018

Compliance Does Not Equal Security
Feb. 27, 2018

New Cryptomining Attacks Force Re-Evaluation of Trust in Websites
Feb. 26, 2018

Better Biometric-Based Authentication
Feb. 20, 2018

Fines for Faulty Defense in the U.K.
Jan. 30, 2018

Patch for Meltdown and Spectre? On Standby
Jan. 25, 2018

About the Analysts


Holly Dragoo is a research associate with the Advanced Concepts Laboratory (ACL) at the Georgia Tech Research Institute. Her previous work with the U.S. Department of Defense and Federal Bureau of Investigation give her a unique understanding of intelligence community requirements. Dragoo’s research interests include cybersecurity policy issues, threat attribution, metadata analysis, and adversarial network reconstruction. More By Holly



Panagiotis Kintis is a Ph.D. student at Georgia Tech's School of Computer Science and a researcher in the Astrolvaos Lab. His research examines new techniques for data analysis and cyber attribution with special focus on clues that can be obtained from the network layer of the Internet, such as bot activity and domain name abuse (combosquatting).




Brenden Kuerbis, Ph.D., is a postdoctoral researcher at Georgia Tech’s School of Public Policy and a former Fellow in Internet Security Governance at the Citizen Lab, Munk School of Global Affairs, University of Toronto. His research focuses on the governance of Internet identifiers (e.g., domain names, IP addresses) and the intersection of nation-state cybersecurity concerns with forms of Internet governance. More by Brenden




Joel Odom leads a team of researchers focused on software security as branch head for the Cybersecurity, Information Protection, and Hardware Evaluation Research (CIPHER) Laboratory at the Georgia Tech Research Institute. He and his team research static and dynamic software analysis, software testing techniques, software reverse engineering, and software vulnerability discovery and mitigation. More by Joel




Chris M. Roberts is a senior research engineer with the Cybersecurity, Information Protection, and Hardware Evaluation Research (CIPHER) Laboratory at the Georgia Tech Research Institute specializing in embedded firmware reverse engineering and hardware analysis.  Mr. Roberts’ technical expertise has expanded to cover radio frequency system design, electronic and cyber warfare, hardware and firmware reverse engineering, vulnerability assessments of embedded systems and assessment of vulnerability to wireless cyberattacks. More by Chris