IT services giant Wipro has revealed it is investigating a potential intrusion after a report named the firm as suffering an attack targeting a dozen customers,
India’s third largest IT outsourcer claimed to have spotted “potentially abnormal activity in a few employee accounts” after an “advanced phishing campaign” targeted the company.
“Upon learning of the incident, we promptly began an investigation, identified the affected users and took remedial steps to contain and mitigate any potential impact,” it continued, according to ETtech.
“We are leveraging our industry-leading cybersecurity practices and collaborating with our partner ecosystem to collect and monitor advanced threat intelligence for enhancing security posture. We have also retained a well-respected, independent forensic firm to assist us in the investigation. We continue to monitor our enterprise and infrastructure at a heightened level of alertness.”
Security researcher Brian Krebs originally reported the incident, citing multiple unnamed sources who claimed a multi-month intrusion had taken place, with at least 11 or 12 customers affected.
One claimed to know this info from the forensics investigation in which folder names on the intruders’ back-end were found to have been named after those clients.
Another source claimed that Wipro is being forced to build a new private email network, as the current one was apparently no match for the assumed state-sponsored attackers.
IT services companies are a major target for hackers given the privileged access they can grant to large numbers of client networks.
Chinese state-sponsored attack group APT10 was called out in 2017 after a long-running campaign against MSPs described by British investigators as “one of the largest ever sustained global cyber-espionage campaigns.”
IOActive CTO, Cesar Cerrudo, argued the case is another example of how modern digital supply chains create extra risk for organizations.
“These types of attacks are incredibly difficult to defend against, as trust is an essential part of any partnership. However, companies should be careful to ensure that they have the right controls in place to ensure that even if a hacker does gain access to an employee's credentials, this doesn’t mean they have the keys to the kingdom,” he added.
“If an organization isn't looking for security risks, then a threat actor doesn't need to launch a costly, complex or high-risk supply chain attack to compromise the organization. If the worst happens, and systems are compromised, then having a swift and effective response is essential. Organizations need to be sure they are able to identify the compromise fast (ideally before customers are impacted) and that they can quickly assert which customers may have been impacted and notify them of the potential risk to stop things from spiralling down the supply chain.”