15
Apr 19

Experts: Breach at IT Outsourcing Giant Wipro

Indian information technology (IT) outsourcing and consulting giant Wipro Ltd. [NYSE:WIT] is investigating reports that its own IT systems have been hacked and are being used to launch attacks against some of the company’s customers, multiple sources tell KrebsOnSecurity. Wipro has refused to respond to questions about the alleged incident.

Earlier this month, KrebsOnSecurity heard independently from two trusted sources that Wipro — India’s third-largest IT outsourcing company — was dealing with a multi-month intrusion from an assumed state-sponsored attacker.

Both sources, who spoke on condition of anonymity, said Wipro’s systems were seen being used as jumping-off points for digital fishing expeditions targeting at least a dozen Wipro customer systems.

The security experts said Wipro’s customers traced malicious and suspicious network reconnaissance activity back to partner systems that were communicating directly with Wipro’s network.

On April 9, KrebsOnSecurity reached out to Wipro for comment. That prompted an email on Apr. 10 from Vipin Nair, Wipro’s head of communications. Nair said he was traveling and needed a few days to gather more information before offering an official response.

On Friday, Apr. 12, Nair sent a statement that acknowledged none of the questions Wipro was asked about an alleged security incident involving attacks against its own customers.

“Wipro has a multilayer security system,” the company wrote. “The company has robust internal processes and a system of advanced security technology in place to detect phishing attempts and protect itself from such attacks. We constantly monitor our entire infrastructure at heightened level of alertness to deal with any potential cyber threat.”

Wipro has not responded to multiple additional requests for comment. Since then, two more sources with knowledge of the investigation have come forward to confirm the outlines of the incident described above.

One source familiar with the forensic investigation at a Wipro customer said it appears at least 11 other companies were attacked, as evidenced from file folders found on the intruders’ back-end infrastructure that were named after various Wipro clients. That source declined to name the other clients.

The other source said Wipro is now in the process of building out a new private email network because the intruders were thought to have compromised Wipro’s corporate email system for some time. The source also said Wipro is now telling concerned clients about specific “indicators of compromise,” telltale clues about tactics, tools and procedures used by the bad guys that might signify an attempted or successful intrusion.

Wipro says it has more than 170,000 employees helping clients across six continents with Fortune 500 customers in healthcare, banking, communications and other industries. In March 2018, Wipro said it passed the $8 billion mark in annual IT services revenue.

The apparent breach comes amid shifting fortunes at Wipro. On March 5, the State of Nebraska abruptly canceled a contract with Wipro after spending $6 million with the company. In September 2018, the Nebraska Department of Health and Human Services issued a cease-and-desist letter to Wipro, ordering it to stop work on the upgrade to the state’s Medicaid enrollment system, and to vacate its state offices. Wipro is now suing Nebraska, saying its project was on schedule and on budget.

In August 2018, Wipro paid $75 million to settle a lawsuit over a botched SAP implementation that reportedly cost the National Grid US hundreds of millions of dollars to fix.

Another curious, if only coincidental, development: On April 4, 2019, the government of India sold “enemy” shares in Wipro worth approximately $166 million. According to this article in The Business Standard, enemy shares are so called because they were originally held by people who migrated to Pakistan or China and are not Indian citizens any longer.

“A total of 44.4 million shares, which were held by the Custodian of Enemy Property for India, were sold at Rs 259 apiece on the Bombay Stock Exchange,” The Business Standard reported. “The buyers were state-owned Life Insurance Corporation of India (LIC), New India Assurance and General Insurance Corporation. LIC”

Wipro is expected to announce its fourth-quarter earnings report on Tuesday, April 16 (PDF).

Update, April 16, 9:11 a.m. ET: Not sure why it did not share this statement with me, but Wipro just confirmed to the India Times that it discovered an intrusion and has hired an outside security firm to investigate.

Update, April 17, 2:33 p.m. ET: Check out my latest story on the Wipro breach, the latter half of which includes important new updates about the breach investigation.

Tags:

75 comments

  1. I’m sure this has nothing to do with their frictionless security posture.

    https://www.bankinfosecurity.asia/interviews/wipros-new-ciso-on-frictionless-security-i-4239

    • “Security cannot be a show stopper for business priorities,” he stresses in an interview with Information Security Media Group.

      Good, fast, cheap…you know the rest.

    • “Wipro Frictionless Security…we provide the lube!”

    • Whomever gives up security for convenience will get pwned. We see this over and over again, on an almost daily basis with corporations and needless to say proletariat users. We see this reported regularly on Krebs, and we get admonitions about this daily from DHS-US-CERT and CISA. And they keep getting pwned. Why? Because…

      In making money, first and above all else, we trust and …. the rest!

      It’s like Mr. Robot is active and running rampant in the real world, without the altruistic motives given in the show!

  2. And this is shocking why? The accountability culprit for the August fine should be the individual within National Grid who went the cheap route outsourcing with a non-US entity.

    Keep outsourcing geniuses to 3rd parties without appropriate protections…. since anyone can pass an audit test.

    • That’s exactly right. Aren’t most audit tests for third-parties typically an assessment questionnaire?

      1. Do you have anti-virus?

      2. Do you not not have anti-virus?

      3. Do you don’t not have anti-virus?

      Congrats! You answered all 3 questions correctly.

      • It is high time software developers take responsibility for such security breach. Companies like M$ are the reasons behind this as they always want to keep their end-users brainless and dumb.

      • Lol 3 out of three

  3. The Sunshine State

    You start to wonder if the Wipro customer breach information is being used by scammers in India to contact people in the United States to gain a social engineering advantage.

    I always wondered about this issue when it comes to Dell computer scammers knowing the information on what make and model you have along with the ID information.

    Is Dell Computer a Wipro customer ?

  4. Just wondering legally when involving international crime like this, where do the laws apply when the victim is in country A, the data is managed by company B, and the bad guy is in country C.

    I always disliked giving my PII to foreign customer support firms representing US corporations when they can look up my account information to assist me with my phone bill or whatever service the US corporation provides.

    Do they store the information domestically or off shore? What happens to the data when the contract ends? What safe guards are in place to prevent foreign company from misusing data?

    No expecting answers because a lot depends on so many variables that make enforcing laws and legal agreements complex and complicated. My comment is this kind of story keeps me up at night with the opinion that US corporations gives away our information for the sake of profit.

    • How is that any different from a rogue U.S.-based customer service agent doing the same thing?

      • How is it different, you have a reasonable (though far from perfect) chance to seek legal remedy. Do you really think you have the same chance in India?

        • If your contact is with the US company you will always have right of redress against them for beach of contract in the US.

          Whether it is legal for them to transfer data outside will depend on US law (which I am not familiar with) and will probably depend on if you consented (which you almost certainly would have done as part of the contract).

  5. In all honesty im so tired of those big companies outsourcing pretty much everything to Phillipines, or India. I needed to settle my bill with the heath insurance company and I couldn’t understand a word the guy was saying on the phone. Plus I don’t really feel comfortable giving out my private info to some fella in India that probably types it all into a bug ridden system.

    • It’s not so much that outsourcing is done to foreign countries, but that it’s done to the cheapest provider.
      That provider might be in your own country, but it’s easier to provide a cheap service in an environment which has weak regulation, a largely unregulated labour market, poor cyber security compliance. Particularly where these are exacerbated by commercial pressures driving costs down.
      Fast,cheap, and secure rarely can all be had at the same time.

      This is why we refuse to outsource anything, because our IP, staff PII and reputation are more important to us than the ongoing costs.

  6. There is no better system to compromise than the one that connects to all your systems and pushes all your patches. The follow on to that is that if you can get to the IT admins that have all the access in your company, you can do much the same damage.

    We need to let the investigation play out, but I expect if this attack is verified, then it was likely perpetrated specifically to get inside Wipro’s customers.

    It is hard to ALWAYS get security right, and if you are facing a well funded and persistent attacker, they will almost always find a foothold, a lot of times through layer 8 (people). The most important thing is to detect them before things go horribly wrong. Hopefully Wipro / CERT / Forensicators will release the true story so we can all learn from this incident (assuming it has occurred).

    I have worked with a lot of people and teams from India and you get good and bad, just like you do in the US, or I suspect any other country out there.

  7. So many linked requests daily from Wipro/Silverlink guys. Good riddance.

  8. I see so many people commenting about hackers to take away US customer details, people need to understand the magnitude of this issue is bigger then of US Nationals personal days. It is every customer of Wipro and US companies are not the only clients for Wipro.
    I understand business being outside to a company out of country might give insecurity, but the companies that are outsourcing and the companies that are serving as well are not a small companies and they understand law suites, so for both these company security of data is top priority.

    This is not the first time a company security has been breached, irrespective of where the company is operating from. This incident would have happened even if the company is fully operational within US as well.

    • To be fair, security practices tend to be a lot more lax and qualifications of the people actually doing the job (not just showing up for the contract award) are mire lacking the further off shore you go. So while you’re right that anyone could be hacked, where you set the bar makes a difference. You can die in any car but some are still a lot safer than others.

      • See Equifax, Google, the US DoD, the OPM hack, etc etc etc. US based companies are no better off in most cases.

      • Prove it. I am a software engineer (programmer) and I have seen a LOT of US programmers (both born in the US an emigrant) who write insecure code. I have also seen a lot of operations and IT staff who just don’t care about security. Examples include storing Amazon and Azure credentials on public wikis, not validating data from the network, not validating certificates, not regularly changing production credentials, using insecure cryptographic algorithms (MD5, SHA1, DES, 3DES, etc.).

        The reality is computer security doesn’t depend on ethnicity or nationality. It depends on attitude, skill and organization. Some organizations and people really care about it and they have systems which are harder to hack. Others don’t and they have more problems.

      • Geography is only incidental to this situation. The organization was selected because it provided access to a host of other valuable organizations behind it.

        This attack was against a services company. The attack could have been against a cloud organization (but, in truth, services companies have more direct hooks into their customers’ networks). The biggest services companies are in jurisdictions that have a cost advantage. These places might also have poor legal standards related to PII and such, but that is actually incidental to the weak corporate processes.

        Some have already used the example of Equifax, an organization which purports to have high standards in a jurisdiction with strong legal protections, and that has managed to have no bearing on the outcome of their breach.

        Companies are going to continue to get breached — at an ever increasing rate — until the penalties (mostly in the form of going out of business) start to take effect, and they have to rethink the entire “speed of doing business” argument (or, at least, adjust it to a different speed).

        For now, most orgs will simply pay lip service to security, but their spending and business processes/priorities and will betray what they think about the matter.

  9. The FDIC just issued a warning last week. Banks have to notify regulators in writing of any bank outsourcing agreements. It was the first “managing third party risk” regulatory update since 2008. https://www.fdic.gov/news/news/financial/2019/fil19019.html

  10. “The company has robust internal processes and a system of advanced security technology in place to detect phishing attempts and protect itself from such attacks.”

    1. What in the hell is a “system of advanced security technology?”
    2. Clearly, the advanced technology did not stop threat actor/s from gaining a foothold into their network.
    3. Maybe they should start sending those IOCs to all their customers, not just the ones that know about the breach.

    • 1. What in the hell is a “system of advanced security technology?”
      Only guessing but this would typically be the people, process and tools of cyber security programme. standard loadout would include – NGFW, EPP, EDR, Email Protection (Proofpoint, Mimecast, MS ATP), UBA, SIEM, Server Hardening, Vuln Mgmt, Patch Mgmt AppSec, FIM, IAM, DLP, 2FA/MFA, CASB, DFIR, SE testing/training, (and a lot more).

      2. Clearly, the advanced technology did not stop threat actor/s from gaining a foothold into their network.

      Defenders have to be right 100% of the time, the attacker only has to be right once. Systems get compromised daily at most companies. it is about being able to find the compromised system and stop the attack early in the kill chain. Once the attacker is living off the land, it can get a lot harder unless you have done a good job deploying deception.

      3. Maybe they should start sending those IOCs to all their customers, not just the ones that know about the breach.
      Assuming this is a targeted attack IOC’s would primarily be attributed to the attacker and potentially this specific attack, but agreed, publicize them out or IOC Bucket them.

  11. Maybe companies shouldn’t outsource their IT to a company headquartered and primarily operated in a country ranked among the worst in the world for cybersecurity. Maybe they shouldn’t outsource their IT at all. You get what you pay for.

    https://qz.com/india/1544739/india-ranks-among-the-worst-in-the-world-for-cybersecurity/

  12. we tried, we failed, wipro…

  13. In the UK Wipro have a large and infrastructre critical customer base. National Grid (UK) has been and perhaps still is a longstanding customer. So no surprise NG(US) went to the same; the decision was probably made by the UK board. Essential companies in the real-time operation of the UK’s energy systems such as Xoserve and Elexon have been and quite likely still are Wipro customers. So, any hostile state-sponsored attack has plenty of “juicy targets” to focus on.

    • “Wipro confirms attack on IT systems, hires forensic investigation firm Wipro confirmed its IT systems have been attacked and said it has hired a forensic firm, after cybersecurity investigation website KrebsOnSecurity reported that hackers had compromised the IT company’s systems and used them launch attacks on the firm’s clients.”

      Well done, Mr. Krebbs.

  14. Hi

    I am tech journalist based in Bangalore.
    I would like to be put in your mailing list for updates.

    Thanks

    Mini Tejasvi
    Deputy Editor
    The Hindu
    Bangalore
    India
    98869 97970

  15. Their logo looks like the spiral form Game of Thrones, coincidence?

  16. ChrisSuperPogi

    Incidentally:

    “Wipro is expected to announce its fourth-quarter earnings report on Tuesday, April 16 (PDF).”

    Just saying…

  17. Brian,

    Not sure if this is a topic you cover in your blog but I was wondering if you’ve read Google’s documents on how they are implementing security? Its called BeyondCorp and I think they have 4-6 short (usually less than 10 pages) on their thoughts and the implementation of it.

    They aren’t fond of a strict perimeter defense (castle/moat) and instead strictly control mobile devices, authenticate them, use reverse proxies, etc.

  18. I see a lot of comments mentioning how US shouldn’t be outsourcing to India or other countries. We live in a “capitalist” nation. Be the first to market, make it cheap, hence, outsourcing. Flaws and security are afterthoughts. Until our government starts holding executives personally accountable for security (be it HIPAA, PII, FERPA, PCI, or other), this problem will continue, not just from outsourcing, but within the US borders as well.

    Make it cheap,,,, make it fast,,,,,

  19. Security doesn’t matter most of the outsourcing firms, what its mean there is no proper background check for employees. Any account manager can do any corruption inside the projects. Security always jeopardy … Good luck for all companies who saving millions…..

  20. They hired an outside security firm. Who probably outsources to another firm.

  21. Yesssssd
    Is a cool point
    Just call me

  22. Just yesterday, we faced similar type of phishing attack from our IT vendor.

    I and several others in our organization received a broadcasted phishing email from one of our IT vendors employee email-id. When we checked with the vendor, he said he did not send the email and it was triggered automatically when he clicked on a link that came in similar email which he himself got. We were advised to immediately delete the emails.

    If you need further details to see if these are connected attacks. please write to me.

    Regards

  23. “Advanced” phishing attack…..no way they fall for the “Basic” phishing attack.

  24. So many of these places can’t even patch or get rid of operating systems that are from 25 years ago. No wonder why they keep getting pwned. FAIL

  25. Security is always an afterthought in so many places still. Some organisations will learn the hard way before they take security seriously. Their statements about this breach r such fluff from Wipro!

  26. Brian Cummings

    Curious. Wipro claimed in its statement to have “…a system of advanced security technology in place to detect phishing attempts and protect itself from such attacks.” Is this “smoke and mirrors” language, or does such technology exist? If so, I want it!

  27. Lol, I don’t think their “System of advanced security technology” works as well as they would like us to think…

  28. All the comments here pretty much says that Indian outsourcing companies have poor security. What about IBM and HPE when they got hacked 4 months back? Any comments on that ? Guess not ! I think most of you are pure racists.

    https://www.cnbc.com/2018/12/21/china-hacked-hpe-and-ibm-and-then-attacked-their-clients-sources-.html

    • Both can be true and bad. IBM and HPE/DXC can get hacked and Indian outsourcing companies can have a history of terrible security. I don’t like either scenario, especially considering all those companies have access to tons of other ones that probably have my data somewhere somehow.

      Funny you mention IBM and HEP/DXC though since IBM has more employees in India than the US and has for many years. HPE/DXC doesn’t publish those numbers, but I suspect it’s the same.

    • Chill out, Brian

      “Whataboutism” at its finest.
      This is a false dichotomy. It can be true that both Indian outsourcing companies have poor security (many do) AND that IBM and HPE got hacked.

      Security among organizations in the US is bad, but I, like many of those who have posted comments here, have witnessed first hand how much WORSE it is in many outsourced service companies. Many of those companies operate out of India.

      These are statements of fact. They can certainly be argued as to whether or not they are true, but they in no way speak ill of the people who live and work in India. To suggest that racism is the motive behind the statements is quite the illogical leap.

      I suggest that you not try to read the minds of others that you do not personally know, and that you chill out with your accusations of racism. People are commenting about Indian outsourcing companies because that is what the article is about. The article wasn’t about IBM or HPE. You are changing the subject rather than making a substantial point.

    • The “Brian” claiming racism is actually a Wipro exec. Ignore him.

  29. what does wipro have on the clintons?