IT outsourcing giant Wipro has suffered a major breach of its systems following what it described as an “advanced” phishing campaign.
The attack was first reported this morning by investigative reporter Brian Krebs. Sources told him the attack used Wipro’s systems as a staging post to try to reach the company’s extensive global customer base.
The extent of the campaign is unclear. NYSE-listed Wipro, which is based in India, confirmed the attack this morning. The attack on Wipro is being viewed as a state-sponsored exercise by responders, Krebs said.
Wipro Hacked: Company Responds
The company said in an emailed statement: “We detected a potentially abnormal activity in a few employee accounts on our network due to an advanced phishing campaign.”
“Upon learning of the incident, we promptly began an investigation, identified the affected users and took remedial steps to contain and mitigate any potential impact. We are leveraging our industry-leading cyber security practices and collaborating with our partner ecosystem to collect and monitor advanced threat intelligence for enhancing security posture.”
Wipro added: “We have also retained a well-respected, independent forensic firm to assist us in the investigation. We continue to monitor our enterprise and infrastructure at a heightened level of alertness.”
One of Krebs’ sources said: “It appears at least 11 other companies were attacked, as evidenced from file folders found on the intruders’ back-end infrastructure that were named after various Wipro clients.”
Wipro, which employs some 160,000 and which has annual revenues of circa $8 billion, has a large client base ranging from mobile phone service operators to banking institutions.
Wipro Breached All the Way to Corporate
Security experts working on or close to the breach have said that Wipro’s customers have traced an array of suspicious and malicious network activity directly back to Wipro’s own network. The security workers told Krebs that it appears that the malicious network activity is communicating directly with Wipro’s systems.
Worryingly Krebs has been informed by his sources that the IT sourcing giant is in the process of creating a new private email network as it is believed that threat actors have been inside the company’s corporate email systems for an extended period of time.
Krebs also noted that: “The source also said Wipro is now telling concerned clients about specific “indicators of compromise,” telltale clues about tactics, tools and procedures used by the bad guys that might signify an attempted or successful intrusion.”
Mark Bower, of Egress Software Technologies, said in an emailed comment: “Most concerning for the tens of thousands of Wipro customers – including many in the Fortune 500 – are the reports that Wipro’s email system has been compromised for some time.”
“Wipro should immediately let customers know whether they were using message encryption internally to protect customer emails. Encrypting email messages at rest prevents the hackers from accessing sensitive data that can be weaponised to launch attacks such as man-in-the-middle attacks.”
He added: “Furthermore, every Wipro customer should be hyper-aware of the potential of such attacks coming from this previously trusted domain. Employees should be on red alert for any email from this domain until such time as Wipro demonstrates that it’s email system is rearchitected. Phishing attacks are used time and again because of how effective they are in taking advantage of human weakness. Their effectiveness is amplified exponentially when the phishing attacks come from what is believed to be a trusted partner.”