Wipro Detects Phishing Attack: Investigation in ProgressSecurity Experts Weigh In on Who Might Be the Culprit
Indian IT service firm Wipro on Tuesday said that it has detected abnormal activities on some of its employee accounts due to an advanced phishing campaign. An investigation is continuing, the company tells Information Security Media Group.
The news comes following the blog KrebsOnSecurity reporting that India's third-largest IT outsourcing company was dealing with a multimonth intrusion.
Wipro's systems were seen being used as jumping-off points for digital phishing expeditions targeting at least a dozen Wipro customer systems, the blog says. "Wipro's customers traced malicious and suspicious network reconnaissance activity back to partner systems that were communicating directly with Wipro's network," according to the blog.
In a statement, Wipro says: "Upon learning of the incident, we promptly began an investigation, identified the affected users and took remedial steps to contain and mitigate any potential impact."
The firm tells ISMG that none of its customers' credentials have been affected, as was alleged in the blog.
Some security experts, however, say Wipro may be the victim of a nation-state sponsored attack.
"It is most likely by a nation-state. They use this modus operandi to breach a vendor network first and through that route the attack their customers," says a Bangalore-based security expert, who did not wish to be named. "That is because customers will consider Wipro's network safe. Taking advantage of this, attackers can slip under the radar and defenses as harmless traffic."
Some observers speculate that Cloud Hopper, a Chinese advanced persistent threat group, may be behind the attack. "Cloud Hopper targets managed service providers and uses it as a point of entry into their end clients," tweets Prashant Mali, cyber lawyer and advocate, Bombay High Court.
Wipro employees Accounts breached, Cloud hopper a Chinese APT that targets managed service providers to use that as a point of entry into their end clients suspected #hacking #espionage #cybercrime #cyberlaw #cyberattacks #wipro #media #it #technology— Adv. Prashant Mali (@CyberMahaGuru) April 16, 2019
The attack on Wipro comes four months after two hackers associated with Chinese group APT10 were indicted by the U.S. Department of Justice for attempting to break into more than 45 U.S. technology companies and U.S. government agencies as well as several MSSPs.
In January 2019, the National Counterintelligence and Security Center launched a public campaign to educate businesses about the risks related to cyberattacks from foreign intelligence entities. The effort identified corporate supply chains as one of the primary targets, wherein threat actors attack a business' suppliers to gain access to the end client's corporate network, reports CRN.
Wipro employs 170,000 employees serving clients across six continents, including Fortune 500 customers in healthcare, banking communications and other industries. The company's stock declined about 2 percent to $4.30 in after-hours trading Monday.
Dissecting the Attack
According to the KrebsOnSecurity blog, one of Wipro's customers said at least 11 other companies were attacked, based on file folders found on the intruders' back-end infrastructure that were named after various Wipro clients.
Apparently, Wipro is also in the process of building out a new private email network because the intruders were thought to have compromised Wipro's corporate email system for some time, the blog says. The company is now telling concerned clients about specific "indicators of compromise," or clues that might signal an attempted or successful intrusion, a source told KrebsOnSecurity.
ISMG reached out to one of the customers of Wipro from the aviation industry to see if it was impacted by the phishing attacks. "I can't comment on this. Attacks keep happening. What matters is how best we are able to control damage," he said, asking to remain anonymous.
Wipro says it is taking remedial measures to mitigate the damage done. "We are leveraging our industry-leading cybersecurity practices and collaborating with our partner ecosystem to collect and monitor advanced threat intelligence for enhancing security posture. We have also retained a well-respected, independent forensic firm to assist us in the investigation. We continue to monitor our enterprise and infrastructure at a heightened level of alertness," Wipro tells ISMG.
In an earlier interview ISMG, Sridhar Govardhan, CISO at Wipro, spoke about how a company can tackle a phishing campaign.
"When a phishing campaign is launched against a company, then you can pick this up on your threat intelligence platform through both open source as well as commercial feeds coming in," Govardhan said. "When you automate the process, the email campaign information is automatically passed on to the team handling email security. This has to be built in seamlessly and integrated across entire ecosystem."
The attack has led to some security practitioners questioning whether data should indeed be outsourced to other countries. "It's amazing how quickly people diss "outsourcing" (which is code for something else). Because you know, non-outsourced companies are never hacked," tweets Sandesh Anand, managing consultant at the IT company Synopsys.
The subtle racism on the comments section on that article is frankly disgusting. It's amazing how quickly people diss "outsourcing" (which is code for something else). Because you know, non-outsourced companies are never hacked— Sandesh Anand (@JubbaOnJeans) April 16, 2019
Phishing attacks apparently increased in 2018, according to various news reports.
"Threat actors would identify the victim and use open source information to gather details. From here they build phishing attacks. One of the areas is email. Office 365 is a huge target," John Clay, director of global threat communications as Trend Micro, said in an interview with ISMG. "Phishing works because it preys on vulnerabilities of humans. Once you get access to email account, you can pretty much do what you want."
In a new development, Microsoft says intruders targeting its email services had access to email content for a single-digit percentage of the overall affected accounts, a more serious conclusion than first thought.
Geetha Nandikotur, managing editor, Middle East and Asia, contributed to this report.