Wipro Security Breach Targeted ‘A Few’ Employees Via Phishing Campaign

Wipro CEO Abidali Neemuchwala confirmed that the India IT outsourcing giant fell victim to a security breach stemming from an advanced phishing campaign.

Wipro CEO Abidali Neemuchwala Tuesday claimed the IT outsourcing giant was able to detect and respond “quite fast” to a security breach that used Wipro’s network as a launch pad for bad actors to carry out attacks against its own customers

At the same time, Neemuchwala called the original KrebsOnSecurity report yesterday “not entirely accurate” though he did not say what was wrong with it.

“We were able to detect and respond to this quite fast and we’ve had some customers appreciate it,” said Neemuchwala. “I can understand a lot of customers are anxious about it because what came in the (KrebsOnSecurity) blog, as you can expect is not entirely accurate, but we are responding to customers.”

Customers found to be at risk have already been contacted, Neemuchwala said.

“Now since it is out in the media we are talking to all the customers to avoid their anxiety...They appreciate what we’ve done,” he said.

Another Wipro executive told analysts that the attack involved “a few of our employee accounts” who were subjected to “an advanced phishing campaign.” The executive said the accounts were isolated and immediate steps were taken to contain “this incident” and mitigate “any potential attacks.”

The executive said Wipro informed a “handful” of customers and they continue to monitor their network through advanced threat mechanics

The India-based IT outsourcing company is reportedly the victim of a months-long intrusion from a state sponsored cyber attack, two sources told KrebsOnSecurity. Both sources said that Wipro’s systems were used to target at least a dozen of its own client’s systems. Wipro did not address whether the security breach was a nation -state attack.

According to KrebsOnSecurity, Wipro’s own customers traced suspicious network activity back to partner systems that were in direct communication with Wipro’s network. File folders found on the intruders' back-end infrastructure were named after various Wipro clients, a source told KrebsOnSecurity, and suggest that at least a dozen companies were attacked.

Wipro did not respond to CRN’s request for comment on Monday night. The company’s stock was down 12 cents Tuesday morning to $4.27, ahead of delivering a positive earnings report that showed the company grew revenue 7.5 percent year over year to $8.3 billion.

"The company has robust internal processes and a system of advanced security technology in place to detect phishing attempts and protect itself from such attacks," Wipro said in a statement to KrebsOnSecurity. "We constantly monitor our entire infrastructure at a heightened level of alertness to deal with any potential cyber threat."

Wipro is currently in the process of building out a new private email network because the intruders were believed to have compromised the company's corporate email system for quite some time, another source told KrebsOnSecurity. The company is now telling concerned clients about specific "indicators of compromise," or clues that might signal an attempted or successful intrusion.

The reported breach at Wipro comes just four months after two hackers associated with Chinese advanced persistent threat (APT) group APT10 were indicted by the U.S. Department of Justice for attempting to break into more than 45 U.S. technology companies and U.S. government agencies, as well as several MSPs.

The only organization to voluntarily identity themselves as a victim of APT10's multiyear "Operation Cloud Hopper" campaign was Visma, a $1 billion Norwegian business software provider. Reuters reported that the managed services businesses of Hewlett Packard Enterprise - which divested that part of its business in 2017 as part of a spin-in merger to form DXC Technology - and IBM were also among the IT firms breached by Chinese hackers in the attack.

In January 2019, the National Counterintelligence and Security Center launched a public campaign to educate businesses about the risks related to cyberattacks from foreign intelligence entities. The effort identified corporate supply chains as one of the primary targets, wherein threat actors attack a business' suppliers – including solution providers and MSPs – to gain access to the end client's corporate network.

In an interview with CRN recently, Wipro Digital President Rajan Kohli identified cybersecurity as one of the company's four main areas of investment thanks to the increased connectivity and digitization of networks. Specifically, Kohli said that a lack of integration between established security products means that customers end up with a lot of data, but very little actionable insight.

"We’re building those dashboards, and building that glue that bind these various products, and helps clients make an actionable insight," Kohli said. The time to response becomes very critical to cybersecurity."