Wipro, one of the country’s biggest software exporters has been reported to be the target of an attack from hackers. Earlier this week, cybersecurity portal KrebsOnSecurity reported that it had been informed by two independent, trusted ‘expert’ sources that Wipro was undergoing a “multi-month intrusion from an assumed state-sponsored attacker”.

Wipro immediately proceeded to issue a statement that said that there was an indicator of a “potentially abnormal activity” in employee accounts. However, light has not been shed on what the actual issue was.

The ‘KrebsOnSecurity’ Narrative

The sources who revealed the information to the portal were kept anonymous. However, they did state that not only was Wipro compromised, but that their systems were used as entry points to compromise other systems.

These systems belonged to Wipro customers, around 11 of which have already been compromised. This information was found by inspecting file folders on intruders’ back-end infrastructure. These clients were also targeted for phishing attacks using Wipro’s credentials.

When reached for comment, an executive at Wipro stated that the company has a “multilayer security system” that is monitored constantly at a “heightened level of alertness.”

One of the sources even stated that Wipro was building a whole new private email network to boot the invaders out. Post this, the source also stated that Wipro was briefing their clients on cybersecurity practices of “indicators of compromise”.

Wipro’s Narrative

After sending out an email to multiple news publications stating that they were “leveraging industry-leading cybersecurity practices” to address the issue. The statement also mentioned that they have begun an investigation to “identify the affected users” and take remedial steps to control impact.

In a statement to ET, Wipro executive Abidali Neemuchwala stated that these attacks are “common in the industry”, adding that they have a “pretty good email system”. He also described the attack to have taken place by taking advantage of a zero-day vulnerability. This stands in stark contrast to what was said by Krebs, as a multi-month attack would have been discovered and patched if it was functioning on a zero-day vulnerability.

The head of HR at Wipro, Saurabh Govil, stated that the company has a training program to prevent against common attack vectors such as phishing attacks. He stated

“The company has a training programme where phishing mails are generated internally and sent to employees. If an employee clicks on it, they are sent to training.”

Damage Control Or Reality?

Many argue that this can be seen was an attempt to control damage, as the stock of the company was quickly tanking after the article. However, Wipro did mention that they had already informed a handful of their customers.

It is to be noted that the company is liable legally to reimburse any costs that the security breach might have caused. This was also one of the risk factors that the company had mentioned in their annual report.

In the report, they stated that they could be subject to “significant liability” in the event of data being misappropriated by employees or former employees. The reason for the liability incurred is for “breaching contractual confidentiality provisions” and various laws regarding data privacy.

Reportedly, the company’s COO addressed various analysts on a post-earnings call. This prompted the author of the original article, Brian Krebs, to ask what the inaccuracies in his report were. The COO then asked Krebs to join him ‘on a seperate call’.

In a tweet, Krebs stated, “They’re (Wipro executives) happy to tell investors my story is full of holes but when I ask them to their face to say where the piece was in error, they dodge the question. Definitely the behaviour of a company with nothing to hide.”

A Potential Attacker

It is also to be noted that this specific attack vector and target is indicative of the attack strategies of Chinese hacker group APT10.

The group targets service providers such as Wipro to discover vulnerabilities in their systems. They then use them as a method to attack their clients, which are usually decided by Chinese national security goals.

The group also acquires “valuable military and intelligence information”, along with business data to support Chinese companies, according to a statement by FireEye. They also said

“APT10 has targeted or compromised manufacturing companies in India, Japan and Northern Europe; a mining company in South America and multiple IT service providers worldwide.”

APT10 could have used Wipro as a ‘soft underbelly’ of sorts, as it is quite possible that they could have compromised the systems. They have a multitude of malware that they have developed for use as backdoors, so as to gain access to targets.

Currently, Wipro has employed a cybersecurity forensics company to find what issues occured with their systems. The story is yet to develop.