24 April 2019

Breaking Down The Wipro Breach -- And What It Means For Supply Chain Security

Kate O'Flaherty

Supply chain security is certainly a hot topic. The Target breach and more recently, the British Airways hack were both caused by weaknesses in the supply chain.

Yesterday, it emerged that Indian outsourcing consulting giant Wipro is investigating reports that its own internal IT systems have been hacked. Sources told Krebs On Security that adversaries are using Wipro’s systems to launch attacks against “at least a dozen” of the firm’s customers.

It came after two sources told Krebs that an assumed nation state actor had been inside the system for multiple months, looking for opportunities to target Wipro’s customers.

Then another two sources came forward. The first, familiar with the forensic investigation at a Wipro customer, told Krebs they thought at least 11 other firms had been attacked after viewing file folders on the adversaries’ back end infrastructure containing client names.


The second source told Krebs that Wipro’s corporate email system had been compromised for some time and the firm was now building out a new private email network. The source also said Wipro was telling its customers about the tactics, tools and procedures (TTPs) that could signify a successful intrusion.

Wipro has come under fire before: In 2017, UK based ISP TalkTalk was fined after data belonging to 21,000 customers was exposed by rogue staff after the firm hired Wipro to resolve complaints and network problems.

What does Wipro say?

Wipro says it is investigating following an advanced phishing campaign targeting its employees. The firm sent me the following statement by email: “We detected a potentially abnormal activity in a few employee accounts on our network due to an advanced phishing campaign. Upon learning of the incident, we promptly began an investigation, identified the affected users and took remedial steps to contain and mitigate any potential impact.

“We are leveraging our industry-leading cyber security practices and collaborating with our partner ecosystem to collect and monitor advanced threat intelligence for enhancing security posture. We have also retained a well-respected, independent forensic firm to assist us in the investigation. We continue to monitor our enterprise and infrastructure at a heightened level of alertness.”

Who are Wipro’s customers?

Many of Wipro’s customers cover industries that would be a major target for hackers – especially the state-sponsored. They include oil and gas, automotive, aerospace and defense, banking and healthcare organizations among other industries.

Among the named current and former customer case studies on Wipro’s website are RHT Health Trust and LA Care Healthplan.

But Wipro has had a few issues over the last year. In September 2018, one healthcare client, Nebraska Department of Health and Human Services suddenly ordered Wipro to halt its work on the upgrade to the state’s Medicaid enrolment system. Wipro is now suing the organization.

And just a month earlier the firm had paid $75 million to settle a lawsuit after it botched an SAP implementation on the US National Grid.

What does it mean?

Wipro’s share price had fallen today (April 16).

Wipro is announcing its fourth quarter earnings today, but it is unlikely that this incident will have had any immediate impact on the firm, says Tom Tahany, intelligence analyst at Blackstone Consultancy. However, fast forward six or 12 months – and that could be very different.

“The possible reputational damage which Wipro will have to combat is likely to be the toughest to manage and overcome. It is too early to say whether they will succeed in overcoming this, but it is certain that their PR machine is currently working overtime to try and soften the hit both immediately in terms of current share prices, and in the longer term.”

This is not the first attack of this nature, says Tahany. He points out that in January of this year, the US National Counterintelligence and Security Center launched a campaign to warn businesses about the risks related to cyber-attacks from foreign intelligence entities. “They identified corporate supply chains as one of the primary targets, wherein actors attack a business' suppliers to gain access to the end client's corporate network. It seems highly likely that Wipro was used as the soft underbelly to breach third parties.”

Meanwhile, Krebs mentions a “curious, if only coincidental, development” that took place on April 4, 2019. The Indian government sold “enemy” shares in Wipro worth around $166 million.

Enemy shares are apparently so called because they were originally held by people who migrated to Pakistan or China and are not Indian citizens any longer.

According to the Business Standard, the buyers were state-owned Life Insurance Corporation of New India Assurance and General Insurance Corporation. 

Who are the perpetrators?

It is thought the alleged attack was state-sponsored, but who? Ian Thornton-Trump, security head at AMTrust Europe suggests this could be an APT10 attack, which he says “almost always” starts with a phish.

Of course, it is impossible to firmly attribute the attack at this stage – and Thornton-Trump was not able to offer any specific evidence proving this theory.

I contacted the Chinese Embassy for comment and will update this story if and when they reply.

APT10 – AKA Red Apollo, Stone Panda and MenuPass – is a Chinese hacking group with a penchant for attacking managed service providers. Last year, The Australian Cyber Security Center blamed it for attacks on at least nine global service providers.

Also in December, the UK’s National Cyber Security Centre said it is aware of current malicious activity affecting UK organisations across a broad range of sectors, likely conducted by APT10. 

According to FireEye, APT10 has targeted or compromised manufacturing companies in India, Japan and Northern Europe; a mining company in South America; and multiple IT service providers worldwide.

Outsourcing without oversight: What to do next

Thornton-Trump says the breach is “a huge example of potential outsourcing IT without oversight".

“We are unfortunately stuck with trust and verify for a very long time and MSPs are always going to be a target by APT groups hoping to hop from the MSP to a target business. Auditing suppliers and service providers has to have more due diligence than a bunch of questions at time of purchase. Vigilance is required through the life of the engagement.”

The full extent of the breach is not in the public sphere as yet and at this stage, there is “only so much that those who outsource their IT to Wipro can do”, says Tahany. “Wipro have not said which of their clients were affected, but it is vital that companies attempt to contain and silo information in the hope that the attackers do not yet have carte blanche access.”

But according to Tahany, this breach should be a wakeup call to both outsourcing companies, and to firms that outsource their IT. At the same time, he points out, the breach comes two months after the newly appointed Wipro CISO, Sridhar Govardhan, said that frictionless security should be the goal of all providers, and that “security cannot be a show stopper for business priorities”.

Whoever was responsible for the breach, third party companies will always be a target for attackers looking for weak points. It’s important for outsourcing firms to look carefully at their own security – and for clients to be careful about who they trust. “IT outsourcing companies should see the security of their systems and their clients’ data as paramount,” says Tahany. "Companies that outsource their IT should understand the threats and risks that outsourcing poses – and ensure that they have internal measures in place wholly separate from the third party company to try and mitigate this very real threat.”

No comments: