The Indian information technology consultancy firm Wipro has confirmed to the Economic Times that it is investigating a phishing attack that may have allowed its systems to be used to attack many of its clients.
Wipro believes it was targeted, possibly by a nation-state attacker, which then used the company’s own systems to deliver follow up attacks on at least 12 of its customers, essentially making this a very prominent supply chain attack.
"We detected a potentially abnormal activity in a few employee accounts on our network due to an advanced phishing campaign. Upon learning of the incident, we promptly began an investigation, identified the affected users and took remedial steps to contain and mitigate any potential impact," Wipro Ltd said in a statement.
Additionally, Wipro said it has retained an outside forensic firm to assist and that it has in house an extensive security apparatus that is working on the problem.
Matan Or-El, CEO of Panorays, pointed out that companies need to check the security level of all third-party vendors, regardless of their size or prominence in the industry.
"For this reason, companies need to develop a security policy and ensure that their third parties – vendors, suppliers, business partners – adhere to it. This is important not only during screening and onboarding of the suppliers, but throughout their whole business relationship, and requires continuous monitoring of the supplier’s digital presence," he said.
The large number of Wipro customer’s potentially impacted by the breach, which some reports say was on-going for months, will require a serious uptick in their vigilance going forward particularly if the attacker has had time to infiltrate their systems.
"Every Wipro customer should be hyper-aware of the potential of such attacks coming from this previously trusted domain. Employees should be on red alert for any email from this domain until such time as Wipro demonstrates that it’s email system is rearchitected," said Mark Bower, chief revenue officer and North American general manager at Egress Software Technologies.
Because of the tremendous responsibility Wipro has to its customers Bower and Dan Tuchler, CMO of SecurityFirst, said the company needs to be completely forthright let customers know whether they were using message encryption internally to protect customer emails.
"The increasing complexity and interconnectedness of IT infrastructure makes it harder to protect. Wipro, a firm with broad IT expertise, is a victim and a part of a complex hack against some of their customers, despite extensive security and monitoring measures. This underscores the importance of protecting data where it resides on servers, including encryption, comprehensive key management, and data access policy control. These attacks are not going to stop. Organisations must defend the security of their data," Tuchler.
In an email to SC Media UK Dr Darren Williams, CEO and Founder of BlackFog commented: "Phishing techniques have been around for quite some time and many of us wrongly assume that we would be able to spot a phishing attack, but as shown by the Wipro breach, cyber-criminals and hackers are growing more sophisticated by the day, so businesses need to ensure that they are investing appropriately into their cyber-defences. The days of obvious email scams filled with glaring typos and outlandish claims are behind us. Today’s cyber-criminals are sending convincing-looking emails with accurate branding to fool people, and unfortunately, it’s working and can have disastrous consequences.
"It’s therefore vital to ensure that your organisation’s cyber-security uses a layered approach, focusing on different types of breaches. Traditional cybersecurity tools such as AntiVirus solutions are not enough. It's impossible to prevent hackers from getting into your network – but is possible to stop them getting out with your data."
Jake Olcott, VP Government Affairs at BitSight highlights the implications for outsourcing generally, commenting to SC Media UK: "Cyber-risk has to be a major factor in any outsourcing conversation. How is this third party protecting my data? How can I be sure that they will safeguard my data during the lifetime of the relationship? Organisations need to be able to answer these questions during the lifetime of their outsourcing relationships in order to effectively manage cyber-risk."
The original version of this article was first published on SC Media US.