Written by Sean Lyngaas

Malware from a newly disclosed hacking campaign has infected the networks of multinational health care companies, including some X-ray and MRI machines, cybersecurity firm Symantec warned Monday.

The hacking group, dubbed Orangeworm, has hit a relatively small number of companies in more than 20 countries, Symantec said in an advisory. Nearly 40 percent of Orangeworm’s victims are in the health care industry, the advisory said. Manufacturers and IT companies that do business in health care have also been infected.

Orangeworm’s custom malware has shown up on machines that control “high-tech imaging devices such as X-ray and MRI machines,” Symantec said.

The Orangeworm revelation adds to a slew of cybersecurity challenges, including ransomware, facing the health care sector. An Indiana hospital in January paid roughly $50,000 in bitcoin to hackers that held its computer system hostage.

Congress has taken notice of the sector’s vulnerabilities. House lawmakers on Friday issued a request for information asking industry for advice on securing old hospital equipment from hacking.

Orangeworm can exploit such outdated technology by spreading across older operating systems like Windows XP, according to Symantec. “Older systems like Windows XP are much more likely to be prevalent within [the healthcare] industry,” the firm said.

Like many persistent hackers, Orangeworm has preyed on the supply chain to reach a target. “Known victims include healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry, likely for the purpose of corporate espionage,” Symantec said.

Orangeworm’s malware hasn’t evolved much since its discovery and “attackers have been able to reach their intended targets despite defenders being aware of their presence within their network,” the advisory said.

Symantec referred to Orangeworm as a “group” throughout the advisory, but also said that it could be just one person. There is no indication that the hacking is affiliated with a nation-state, the firm said.

Whoever it is, they don’t seem too worried about being caught.

“Despite modifying a small part of itself while copying itself across the network as a means to evade detection, the operators have made no effort to change the [command and control] communication protocol since its first inception,” Symantec said.