Avanade, Capgemini Also Hit In Campaign Tied To Wipro Hackers

The cybercriminals that compromised dozens of Wipro employees were also able to successfully breach solution provider giants Avanade and Capgemini, both companies acknowledged.

An Avanade spokesperson confirmed that the Seattle-based solution provider was also a target of the multi-company security incident, with 34 of the company's employees being impacted in February. The $2 billion company employs 30,000 professionals, and was No. 28 on the 2017 CRN Solution Provider 500.

However, the spokesperson said there was no impact to Avanade's client portfolio or sensitive customer data since the company was able to swiftly contain and remediate the situation by leveraging its cyber incident response efforts and technologies. And a review by the Microsoft-Accenture joint venture concluded that the February breach was an isolated incident, the spokesperson said.

[Related: Wipro Hackers Also Went After Seven Other Solution Provider Giants: Report]

"Our security defenses have continued to protect against any potential threat related to this matter," Avanade said in a statement. "And we continue to take our responsibility to safeguard our clients' data with the utmost seriousness."

Similarly, Capgemini said its internal Security Operations Center (SOC) detected suspicious activity on a "very limited number" of laptops and servers between March 4 and March 19. The malicious behavior showed similar patterns to the attack faced by Wipro, according to a company spokesperson.

Immediate remedial action to the compromise took place, according to Paris-based Capgemini, with neither the company nor any of its clients experiencing any impact to date. The $14.86 billion company employs 200,000 people, and is No. 4 on the 2018 CRN Solution Provider 500.

KrebsOnSecurity first reported Thursday that the threat actors responsible for launching an advanced phishing campaign against Bengaluru, India-based Wipro in March also went after Avanade, Capgemini, Cognizant, Infosys, PCM, Rackspace, and Slalom. The campaign appears to be perpetuated by a cybercrime group looking to carry out gift card fraud, according to KrebsOnSecurity.

PCM declined to comment, while Slalom hasn't responded to multiple requests for comment.

Rackspace, meanwhile, said it doesn't have any evidence indicating that there has been an impact to the company's environment, according to a company spokesperson. Infosys stated that it hasn't observed any breach of its network based on its monitoring and a thorough analysis of the indicators of compromise that the IT outsourcing behemoth received from its threat intelligence partners.

And Cognizant said a review following media reports of the Wipro breach hasn't found that any client data has been compromised. The Teaneck, N.J.-based company, No. 6 on the 2018 CRN SP 500, said it has put additional security protocols in place following this specific industry-wide incident.

The Rackspace and Infosys statements neither confirmed nor denied that the solution providers were a target of the threat campaign that compromised Wipro, Avanade, and Capgemini. Cognizant, meanwhile, said it isn't unusual for a large company like theirs to be a target of a spear phishing attempts such as this.

Wipro last week reached out to concerned clients about specific "indicators of compromise," or clues that might signal an attempted or successful intrusion. KrebsOnSecurity Wednesday published the list of IoCs that Wipro had distributed to partners, which included a list of eight malicious domains.

For one of the domains that appears on the list - internal-message[.]app -, KrebsOnSecurity said a single Internet address is tied to all of the subdomains. The address is owned by King Servers, a well-known hosting company based in Russia, KrebsOnSecurity said.

The internal-message[.]app address is home to likely phishing domains for Wipro and the seven other IT services behemoths, as well as for a handful of major retailers and banking and financial services firms, according to records maintained by Farsight Security. KrebsOnSecurity said the list of subdomains suggests that attackers may have also targeted these firms.