Cyber Incident Victim: Wipro
Date:
Apr 2019
Location:
India
Summary
Wipro Ltd., an Indian IT outsourcing firm, experienced a multi-month security breach where attackers compromised its systems to launch phishing expeditions targeting at least a dozen customer networks. The intrusion, suspected to involve state-sponsored actors, leveraged the company's infrastructure as a launchpad for malicious reconnaissance activities traced back to partner systems. Forensic evidence indicated compromised customer folders on attacker-controlled infrastructure, and Wipro’s corporate email system was believed to be breached, prompting the deployment of a new private email network. While the company acknowledged having robust security measures and monitoring protocols, it did not directly address reports of the incident or confirm customer impacts. The breach occurred amid prior contract cancellations and legal disputes involving Wipro’s services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In early April 2019, multiple anonymous sources reported to KrebsOnSecurity that Indian IT outsourcing firm Wipro Ltd. was investigating a cybersecurity breach involving its internal systems. The intrusion, described by security experts as a multi-month campaign likely orchestrated by a state-sponsored actor, had compromised Wipro's network to launch attacks against its clients. Evidence indicated that malicious actors used Wipro's infrastructure as a launchpad for phishing expeditions targeting at least a dozen customer systems. Wipro customers detected suspicious network reconnaissance activity originating from partner systems directly connected to Wipro's network, prompting external inquiries. When contacted by KrebsOnSecurity on April 9, Wipro initially delayed response before issuing a non-specific statement on April 12 that acknowledged neither the breach nor customer impacts, instead emphasizing its existing multilayer security systems and monitoring processes. The company declined further comment despite subsequent verification from two additional sources familiar with the investigation.
Forensic analysis at one affected customer revealed evidence suggesting at least 11 other companies had been compromised, based on client-named folders discovered within attacker-controlled infrastructure. The intruders had maintained persistent access to Wipro's corporate email system, leading the company to develop a new private email network during its response. Wipro began sharing indicators of compromise with concerned clients to help identify attacker tactics and tools. The breach occurred amid significant business challenges for Wipro, including Nebraska's abrupt cancellation of a $6 million Medicaid system contract in March 2019 following a cease-and-desist order, and an August 2018 $75 million settlement over a failed SAP implementation for National Grid US. Concurrently, the Indian government sold $166 million worth of "enemy shares" in Wipro on April 4, 2019, though this transaction was characterized as potentially coincidental rather than directly related to the security incident.