3rd Party Risk Management , Breach Notification , Data Loss

Wipro Attack: The Latest Developments

Outsourcer Enlists Help With Investigation, Denies It's Migrating to New Email Platform
Wipro Attack: The Latest Developments

Indian IT outsourcing giant Wipro says it's working with several partners to expedite the investigation into abnormal activities on some of its employee accounts as a result of an advanced phishing campaign.

This is in addition to the earlier announced hiring of an independent forensics firm, the company tells Information Security Media Group.

"We are working with multiple partners who have an understanding of our operations, which we believe will help expedite the investigation process," Wipro says. "We continue to monitor our enterprise infrastructure at a heightened level of alertness."

Last week, the KrebsOnSecurity blog reported that India's third-largest IT outsourcing company was dealing with a multimonth intrusion and its systems were being used as jumping-off points for digital phishing expeditions targeting the systems of a least a dozen Wipro customers.

Wipro, however, is yet to clarify whether any of its client data has been compromised.

"As a responsible partner and in line with our standard protocol, we immediately and proactively informed the few customers with whom these employees [whose email accounts were targeted] were engaged and are in constant touch with our customers," the company says.

KrebsOnSecurity reports that the attackers responsible for launching phishing campaigns targeting Wipro also appear to have targeted a number of other competing outsourcers, including Infosys and Cognizant.

In a statement, Cognizant says: "While our review remains ongoing, we have seen no indication to date that any client data was compromised. It is not unusual for a large company like Cognizant to be the target of spear phishing attempts such as this. The integrity of our systems and our clients' systems is of paramount importance to Cognizant. We continuously monitor, update and strengthen our systems against unauthorized access and have put additional protocols in place related to this specific industry-wide incident."

Infosys also says that it has not observed any breach of its network. "This has been ascertained through a thorough analysis of the indicators of compromise that we received from our threat intelligence partners," the company says in a statement.

Infosys says it's working with its threat intelligence partners to get more information on attack vectors and threat actors to further strengthen its IT and cybersecurity controls.

Email Platform

KrebsOnSecurity also reported that Wipro was trying to migrate to a new email platform. But Wipro says that report is inaccurate.

"Rumors that Wipro was trying to migrate to a new e-mail platform are not true," the company states.

Wipro considers the phishing campaign to be a zero-day attack. "Based on our interim investigation, we shared the relevant information on the zero-day attack with our anti-virus provider and they have released the necessary signatures for us."

Sizing Up Wipro's Response

Some security experts criticized Wipro for taking two days to acknowledge the security incident after the KrebsOnSecurity report and then providing only limited information. (see: Learning From Wipro, JustDial Post-Breach Mistakes).

But others are now saying that the company acknowledged the problem relatively quickly.

"Wipro has been honest in declaring the breach," says L.S. Subramanian, an independent information technology adviser and analyst. "Many global companies do not announce similar incidents immediately but sometimes even wait for two years after the incident. I see no impact from Wipro's customers, but rather increased trust and appreciation of their transparency."

Subhajit Deb, CISO at Dr. Reddy's Laboratories, a pharma company, adds: "Wipro has taken a lot of flak unnecessarily. It takes a lot of courage to come back and accept that yes there has been an attack. Having said that, business email compromise and phishing attacks is a real threat, and there is no control in the world which is 100 percent foolproof. So you can have an anti-phishing filter and a behavioral analysis detection tool, but end of the day, one of the gullible users will still be tricked to give away important credentials or they will end up clicking on a malicious link."

Phishing Campaign

Some security experts suggest that Wipro was one of many organizations targeted by the same criminal organization.

"I believe that the criminal organization which targeted Wipro has been targeting various organizations on a regular basis," Sachin Raste, a security researcher at eScan, an anti-virus firm, tells ISMG. "When we took a close look at Wipro's indicators of compromise as shared by Krebs, we came across various sub-domains which were used for carrying out the phishing attacks."

Capgemini, a French technology consulting firm, says that its internal security operation center detected and monitored suspicious activity that showed similar patterns to the attack against Wipro, the KrebsOnSecurity blog reports.

Fighting Against Phishing

Forcepoint says criminals have become increasingly sophisticated. "Increasingly sophisticated attacks are being launched on enterprises and government agencies to gain access to critical data and intellectual property. And, traditional security approaches for combating such cyberattacks are no longer effective in today's digital world," says Surendra Singh, senior director and country head, Forcepoint.

To help mitigate the risk of falling victim to a phishing attack, security practitioners say organizations need to continuously educate employees about how to recognize the attacks. They also need to ensure that they implement continuous vulnerability assessment programs, they advise.

"There are solutions in the market which leverage machine learning to know if there is an attack happening in one of your third parties and how it correlates to your organization," Deb of Dr. Reddy's Laboratories points out. "It is a good investment to make, but there is no silver bullet."

Organizations also need to prepare incident management playbooks and practice using them in simulated events, Deb says.


About the Author

Suparna Goswami

Suparna Goswami

Principal Correspondent, ISMG

Suparna Goswami is principal correspondent at ISMG Asia and has more than 10 years of experience in the field of journalism. She has covered a variety of beats ranging from global macro economy, fintech, startups and other business trends. Before joining ISMG, she contributed for Forbes Asia where she wrote about the Indian startup ecosystem. She has also worked with UK-based International Finance Magazine, and leading Indian newspapers like DNA and Times of India.

Geetha Nandikotkur

Geetha Nandikotkur

Managing Editor, Asia & the Middle East, ISMG

Nandikotkur is an award-winning journalist with over 20 years' experience in newspapers, audio-visual media, magazines and research. She has an understanding of technology and business journalism, and has moderated several roundtables and conferences, in addition to leading mentoring programs for the IT community. Prior to joining ISMG, Nandikotkur worked for 9.9 Media as a Group Editor for CIO & Leader, IT Next and CSO Forum.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.in, you agree to our use of cookies.