April 15, 2019

Indian information technology (IT) outsourcing and consulting giant Wipro Ltd. [NYSE:WIT] is investigating reports that its own IT systems have been hacked and are being used to launch attacks against some of the company’s customers, multiple sources tell KrebsOnSecurity. Wipro has refused to respond to questions about the alleged incident.

Earlier this month, KrebsOnSecurity heard independently from two trusted sources that Wipro — India’s third-largest IT outsourcing company — was dealing with a multi-month intrusion from an assumed state-sponsored attacker.

Both sources, who spoke on condition of anonymity, said Wipro’s systems were seen being used as jumping-off points for digital fishing expeditions targeting at least a dozen Wipro customer systems.

The security experts said Wipro’s customers traced malicious and suspicious network reconnaissance activity back to partner systems that were communicating directly with Wipro’s network.

On April 9, KrebsOnSecurity reached out to Wipro for comment. That prompted an email on Apr. 10 from Vipin Nair, Wipro’s head of communications. Nair said he was traveling and needed a few days to gather more information before offering an official response.

On Friday, Apr. 12, Nair sent a statement that acknowledged none of the questions Wipro was asked about an alleged security incident involving attacks against its own customers.

“Wipro has a multilayer security system,” the company wrote. “The company has robust internal processes and a system of advanced security technology in place to detect phishing attempts and protect itself from such attacks. We constantly monitor our entire infrastructure at heightened level of alertness to deal with any potential cyber threat.”

Wipro has not responded to multiple additional requests for comment. Since then, two more sources with knowledge of the investigation have come forward to confirm the outlines of the incident described above.

One source familiar with the forensic investigation at a Wipro customer said it appears at least 11 other companies were attacked, as evidenced from file folders found on the intruders’ back-end infrastructure that were named after various Wipro clients. That source declined to name the other clients.

The other source said Wipro is now in the process of building out a new private email network because the intruders were thought to have compromised Wipro’s corporate email system for some time. The source also said Wipro is now telling concerned clients about specific “indicators of compromise,” telltale clues about tactics, tools and procedures used by the bad guys that might signify an attempted or successful intrusion.

Wipro says it has more than 170,000 employees helping clients across six continents with Fortune 500 customers in healthcare, banking, communications and other industries. In March 2018, Wipro said it passed the $8 billion mark in annual IT services revenue.

The apparent breach comes amid shifting fortunes at Wipro. On March 5, the State of Nebraska abruptly canceled a contract with Wipro after spending $6 million with the company. In September 2018, the Nebraska Department of Health and Human Services issued a cease-and-desist letter to Wipro, ordering it to stop work on the upgrade to the state’s Medicaid enrollment system, and to vacate its state offices. Wipro is now suing Nebraska, saying its project was on schedule and on budget.

In August 2018, Wipro paid $75 million to settle a lawsuit over a botched SAP implementation that reportedly cost the National Grid US hundreds of millions of dollars to fix.

Another curious, if only coincidental, development: On April 4, 2019, the government of India sold “enemy” shares in Wipro worth approximately $166 million. According to this article in The Business Standard, enemy shares are so called because they were originally held by people who migrated to Pakistan or China and are not Indian citizens any longer.

“A total of 44.4 million shares, which were held by the Custodian of Enemy Property for India, were sold at Rs 259 apiece on the Bombay Stock Exchange,” The Business Standard reported. “The buyers were state-owned Life Insurance Corporation of India (LIC), New India Assurance and General Insurance Corporation. LIC”

Wipro is expected to announce its fourth-quarter earnings report on Tuesday, April 16 (PDF).

Update, April 16, 9:11 a.m. ET: Not sure why it did not share this statement with me, but Wipro just confirmed to the India Times that it discovered an intrusion and has hired an outside security firm to investigate.

Update, April 17, 2:33 p.m. ET: Check out my latest story on the Wipro breach, the latter half of which includes important new updates about the breach investigation.

75 thoughts on “Experts: Breach at IT Outsourcing Giant Wipro

  1. Tom Baker

    I see a lot of comments from folks focussing on where Wipro is HQ’ed and based on that why it is dangerous for US companies to outsource from them. Sure there are risks due to different laws and security standards followed. But all that is taken into account by clients and needful scrutiny done before outsourcing.

    The bigger issue nobody is focussing on is how a terrorist, dictatorial regime has been hacking away every country and company in the world. They have hacked and siphoned trillions of dollars worth of information from the US itself, right under our noses from the Min. of Defence to the Congress.

    I hope everyone takes notice of this menace and Democratic governments around the world as well as companies say enough is enough and mount a fitting response to the Chinese govt. hackers.

    1. vb

      Until your last sentence, I thought for sure you were talking about North Korea … and them you slipped in “China”. The same applies to many countries.

      Also, I’ve working with multiple companies who have offshored/outsourced mission critical work. I’ve seen very little evidence that risks due to different laws and security standards were taken into account by clients before outsourcing.

      1. Shyam

        are you serious, you dont know that North Korea and Pakistan are colonies of China. China will remain clean and make these guys do all dirty work.

    2. spagafus

      > ” But all that is taken into account by clients and needful scrutiny done before outsourcing.”

      You funny!

      1. Bill Paxton

        These people will never understand that ‘needful’ is a giveaway. Sad!

        1. Robin Taylor

          LOL Worked with Wi-Pro employees employed by a big US company and I actual got asked to “do the needful” …

  2. PB

    The issue we’re facing today, is that corporations require “agility” and wants everything to move very very fast. When you come from a company with really old infrastructure, no proper security in place other than proxy servers and firewalls, this becomes a huge challenge. Even some of the larger corporations I have worked for, have had integrations with 3rd party MSPs, where the MSP was considered a “trusted” entity and permitted full access. The common reason was that they could not be hindered in doing their job, even if that meant getting access to systems that were not part of the contract, just due to faulty group setups and other server side configurations mainly meant for in-house access only. Doing security right is hard, and sometimes the hurdles are simply the business itself pushing timelines too hard, and overruling security staff by “taking ownership of the risk”.

    1. SkunkWerks

      I don’t think this is just an issue we’re facing “today”. This is the classic tug-of-war between Security and Convenience.

      Culturally- as a society (and maybe a species)- we’ve always leaned in more for the latter.

      This is largely because investing in security is like investing in health insurance- it’s only seen as paying off if you actually get sick (and it helps).

      Even where such investments are required, the M.O. is often to appear to comply rather than actually comply.

  3. Vijayendran Sridharan

    To some extent, damage could have contained if all email accounts were configured with Two Factor Authentication.

    Also, lesson for all of us to bring end user computing devices under CMDB with accuracy and monitor unauthorized software installs.

  4. ali shah

    i had seen a lot of Indians with cout and tie try to f.k the companies on the name of security here in the region of g.u.l.f.
    they dont know any thing abt security but only know how to sell products.

  5. Ludovic F. Rembert

    It’s a shame that BPO companies are still working with these clowns. SMEs need to have some kind of audit process in place with which to test the security of outsourcing companies like Wipro, lest their customer data spill out into the wrong hands abroad…. at which point there is almost zero recourse to recover it.

Comments are closed.