Wipro—a large international IT outsourcing and consulting company based in India—issued a statement this week acknowledging reports that it has been compromised by a phishing attack after Brian Krebs of KrebsOnSecurity.com shared information from anonymous sources that customers were detecting suspicious or malicious traffic originating from the trusted connection with the Wipro network.
Wipro Targeted in Supply Chain Cyber Attack
From what we know so far, it seems the attack is the latest in a line of high-profile third-party supply chain attacks. According to the statement from Wipro, a few employee accounts were compromised through phishing campaign. As the threat landscape evolves and attackers adapt to improved cybersecurity, it is becoming more difficult to identify a well-crafted phishing attack. Nation-state actors and cybercriminals are increasingly adept at duping employees into clicking on malicious files or links or getting them to surrender credentials that enable the attackers to gain a foothold in the network.
The investigation is ongoing, and few details have emerged so far, but from what we do know it seems the attackers made an effort to fly under the radar and avoid detection—which is not at all unusual. A study by the Ponemon Institute found that the average time between initial compromise and detection of an attack was 191 days in 2017. With a dwell time of more than six months, attackers can conduct thorough reconnaissance of the network to identify critical systems and locate sensitive data.
According to Krebs, a source reported that Wipro is in the process of building a new private email network because the intruders are believed to have compromised the Wipro corporate email system for some time. While the details have not been made public, Krebs also shared that Wipro is allegedly telling clients about specific indicators of compromise to watch for, and clues about the tools, tactics, and procedures used by the attackers.
A Better Way with SIEMless Threat Management
With little information and more questions than answers, it’s difficult to speculate at this point about the exact details of how the attack was perpetrated or whether or not the attackers had specific targets in mind. What we can say is that it is evidence that every organization should be concerned about cybersecurity and whether or not they have the platform, intelligence, and experts necessary to detect a similar attack.
The apparent success of the initial phishing attack means that the attackers were able to establish a presence on the Wipro network and conduct reconnaissance using valid credentials. In other words, from a threat detection perspective, it was an insider threat that would appear at face value to be a legitimate network activity. Without a platform capable of comprehensive security monitoring, cyber threat intelligence to understand and recognize emerging threats, and the cybersecurity expertise to identify subtle behavior anomalies that are indicators or suspicious or malicious activity, it is challenging to detect and avoid an attack like this.
“This type of breach, affecting a trusted member of any organization’s supply chain, shows the need for those organizations to be vigilant for unusual activity regardless of the source,” explained Jack Danahy, SVP, Security at Alert Logic. “Alert Logic customers come to us for this kind of 24X7 visibility provided through our SOC Services across all of the critical platforms that they care about, and they trust that our experts will know how to identify these attempts to gather intelligence from their systems and respond—informing them in near real-time. Wipro is a large and well-established organization; Their vulnerability to this type of attack and the further victimization of their clients shows that all organizations need to protect themselves and ensure their own security, even when they know their partners are trustworthy.”