Wipro Breach: 5 Things We Don’t Know
Many questions are lingering following a reported multimonth-long attack on IT outsourcing giant Wipro.
Questions Remain For Wipro
While Wipro CEO Abidali Neemuchwala and another Wipro executive addressed a security breach on the company’s network during an earnings call with investors Tuesday morning, many questions about the attack remain.
Just when the attack happened and what, if any, information was compromised is still not publicly known. The company did not acknowledge the attack until Tuesday morning when it issued a statement to the Economic Times of India that was later repeated during the earnings call.
Also missing is the culprit. While KrebsOnSecurity called this an “assumed state-sponsored” attack, Wipro not did offer any details in its statement or to investors about who could be behind it. The company has said it is using its own cybersecurity tools to contain it, and it told the Economic Times of India that it had hired an outside firm to take a forensic look at how the attack might have happened.
Was this a nation-state attack?
Wipro has not said who might be responsible for the attack on its network. However, the blog that initially reported it called it an “assumed” state-sponsored attack.
“Earlier this month, KrebsOnSecurity heard independently from two trusted sources that Wipro—India’s third-largest IT outsourcing company—was dealing with a multimonth intrusion from an assumed state-sponsored attacker,” the site reported.
In January 2019, the National Counterintelligence and Security Center launched a public campaign to educate businesses about the risks related to cyberattacks from foreign intelligence entities. The effort identified corporate supply chains as one of the primary targets, wherein threat actors attack a business' suppliers—including solution providers and MSPs—to gain access to the end client's corporate network.
Is the company still at risk?
During the earnings call, Neemuchwala and another executive said the company reacted quickly to isolate the compromised systems, but neither he nor another executive said the attack had ended.
“We were able to detect and respond to this quite fast and we’ve had some customers appreciate it,” Neemuchwala told analysts.
Another Wipro executive also tried to reassure investors.
“We did know about potentially abnormal activity in our network that involved a few of our employee accounts and these people were subjected to an advanced phishing campaign. As you know, like any large enterprise, we investigate a large number of alerts every year. We investigate about 4.8 million alerts every year. On knowing about this alert, we promptly kicked off our standard policy that we use,” said the executive.
How long did the attack last?
While KrebsOnSecurity described the attack duration as lasting multiple months, it is not clear what that means. While Wipro said the attack was detected quickly, it did not detail that time frame.
“We isolated employee accounts which are impacted as part of this incident and have taken immediate steps to contain this incident and mitigate any potential attacks of this incident,” a Wipro executive told investors on the earnings call.
How many victims?
Again, citing KrebsOnSecurity, sources told that outlet that “at least” a dozen of the company’s clients were thought to be targeted. A Wipro executive said “a few” employees were compromised by what they described as an “advanced phishing campaign.” He said those accounts were isolated and the company has worked to mitigate fallout from the attack.
Was there any stolen or compromised information?
The company described the attack as an “advanced phishing campaign” but did not say what, if any, information was stolen or compromised.
The company said it had already notified a “handful” of customers, and was in the process of widening its message after news of the attack broke.
“Now since it is out in the media, we are talking to all the customers to avoid their anxiety. ... They appreciate what we’ve done,” Neemuchwala said.