IT systems consulting behemoth Wipro Ltd. has confirmed that its network was hacked and used for mounting attacks on its customers.
After multiple unnamed sources independently told Brian Krebs that a “multi-month intrusion” occurred and is likely the work of an advanced persistent threat (APT) actor who set its sights on at least a dozen Wipro customers, Wipro itself has confirmed the hack to the Times of India.
“We detected a potentially abnormal activity in a few employee accounts on our network due to an advanced phishing campaign,” the company said in a media statement to the outlet’s Economic Times division. “Upon learning of the incident, we promptly began an investigation, identified the affected users and took remedial steps to contain and mitigate any potential impact.”
KrebsOnSecurity reported that Wipro was in the process of building a “new private email network” because the compromise started with the threat actors gaining access to Wipro’s corporate email system. From there, they were able to pivot and reach into customer networks.
“[Victims] traced malicious and suspicious network reconnaissance activity back to partner systems that were communicating directly with Wipro’s network,” according to the sources.
One source, a security staffer at one of the victim companies, said that he discovered file folders hosted in the adversary’s infrastructure, “named after various Wipro clients” — 12 of them in all.
Other details are for now scant, but the incident is emblematic of the new era of highly targeted supply-chain attacks that have begun to accelerate .
“We typically think of supply-chain attacks as stealthy attacks on hardware components , such as malware on laptops and network devices,” said Matan Or-El, CEO of Panorays, via email. “But we shouldn’t forget that supply-chain attacks also include attacks on service providers. In today’s digital age, working with suppliers is a business necessity; however, it involves cyber-risks, because an attack on the supplier means an attack on the organization. For this reason, companies need to develop a security policy and ensure that their third parties – vendors, suppliers, business partners – adhere to it. This is important not only during screening and onboarding of the suppliers, but throughout their whole business relationship, and requires continuous monitoring of the supplier’s digital presence.”
Ian Pratt, co-founder and president at Bromium, added via email: “It appears as though attackers didn’t wish to announce their presence. Instead, they likely wanted to stay hidden and use their access to monitor for sensitive IP and conduct reconnaissance, helping them to enter and move through customer systems to find sensitive data,” he said. “With organizations increasingly reliant on third parties, the attack surface has grown and businesses have less control over how their data is managed and secured.”
Wipro represents a target-rich environment: It works with tens of thousands of companies, including Fortune 500 clients, on technology outsourcing projects around the globe (last year passing $8 billion in annual run rate).
“Wipro should immediately let customers know whether they were using message encryption internally to protect customer emails,” said Mark Bower, chief revenue officer and North America general manager at Egress Software Technologies, via email. “Encrypting email messages at rest prevents the hackers from accessing sensitive data that can be weaponized to launch attacks such as man-in-the-middle attacks.”
He added, “Furthermore, every Wipro customer should be hyper-aware of the potential of such attacks coming from this previously trusted domain. Employees should be on red alert for any email from this domain until such time as Wipro demonstrates that its email system is rearchitected. Phishing attacks are used time and again because of how effective they are in taking advantage of human weakness. Their effectiveness is amplified exponentially when the phishing attacks come from what is believed to be a trusted partner.”
Wipro, which is due to report its fourth-quarter earnings today, said in its statement that it’s being proactive in containing the issue: “We are leveraging our industry-leading cyber security practices and collaborating with our partner ecosystem to collect and monitor advanced threat intelligence for enhancing security posture. We have also retained a well-respected, independent forensic firm to assist us in the investigation. We continue to monitor our enterprise and infrastructure at a heightened level of alertness.”
Don’t miss our free Threatpost webinar , “Data Security in the Cloud,” on April 24 at 2 p.m. ET.
A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.