Wipro Hackers Also Went After Seven Other Solution Provider Giants: Report

The threat actors responsible for launching a successful phishing campaign against Wipro in March also appear to have targeted Avanade, Capgemini, Cognizant, Infosys, PCM, Rackspace and Slalom, according to KrebsOnSecurity.


Wipro was just one of eight major solution providers targeted by a cybercrime group in an apparent attempt to perpetrate gift card fraud, according to KrebsOnSecurity.

KrebsOnSecurity reported that the threat actors responsible for launching an advanced phishing campaign against Bengaluru, India-based Wipro in March also went after the following global outsourcers, systems integrators and MSPs: Avanade, Capgemini, Cognizant, Infosys, PCM, Rackspace and Slalom. None of those companies immediately responded to requests for comment.

“It’s a scary time," said one East Coast MSP who didn't wish to be identified. "Some of the people on this list have the best security money can buy. I hope it’s working for them, because if it’s not, this problem got a lot bigger.”

Sponsored post

[Related: Wipro Hack Snags At Least 23 Workers, Breached Systems Still Being Found: Report]

An Avanade spokesperson confirmed that the Seattle-based solution provider was also a target of the multi-company security incident, with 34 of the company's employees being impacted in February.

However, the spokesperson said there was no impact to Avanade's client portfolio or sensitive customer data since the company was able to swiftly contain and remediate the situation by leveraging its cyber incident response efforts and technologies. And a review by the Microsoft-Accenture joint venture concluded that the February breach was an isolated incident, the spokesperson said.

"Our security defenses have continued to protect against any potential threat related to this matter," Avanade said in a statement. "And we continue to take our responsibility to safeguard our clients' data with the utmost seriousness."

Rackspace, meanwhile, said it doesn't have any evidence indicating that there has been an impact to the company's environment, according to a company spokesperson. And Infosys stated that it hasn't observed any breach of its network based on its monitoring as well as a thorough analysis of the indicators of compromise that the IT outsourcing behemoth received from its threat intelligence partners.

The Rackspace and Infosys statements neither confirmed nor denied that the solution providers were a target of the threat campaign that compromised both Wipro and Avanade. The remaining companies— Capgemini, Cognizant, PCM and Slalom—haven't responded to requests for comment.

Wipro earlier this week reached out to concerned clients about specific "indicators of compromise," or clues that might signal an attempted or successful intrusion. KrebsOnSecurity Wednesday published the list of IoCs that Wipro had distributed to partners, which included a list of eight malicious domains.

For one of the domains that appears on the list - internal-message[.]app -, KrebsOnSecurity said a single Internet address is tied to all of the subdomains. The address is owned by King Servers, a well-known hosting company based in Russia, KrebsOnSecurity said.

The internal-message[.]app address is home to likely phishing domains for Wipro and the six other IT services behemoths, as well as for a handful of major retailers, banking and financial services firms, and technology vendors, according to records maintained by Farsight Security. KrebsOnSecurity said the list of subdomains suggests that attackers may have also targeted these firms.

Four of the targeted IT firms appeared in the top 40 of the 2018 CRN Solution Provider 500: Capgemini (No. 4), Cognizant (No. 6), PCM (No. 25), and Slalom (No. 37). In addition, Avanade was No. 28 on the 2017 CRN Solution Provider 500.

The adversary responsible for breaching Wipro appears to be after anything they can turn into cash relatively quickly, KrebsOnSecurity reported Wednesday. The phishing attacks against Wipro captured dozens of company employees and more than 100 computer systems, according to KrebsOnSecurity.

One large retailer and Wipro customer told KrebsOnSecurity that the threat actors who broke into Wipro used their access to perpetrate gift card fraud at the retailer's stores. The source added that the attackers also searched the victim's systems for specific phrases related to gift cards, as well as for clues about security systems the retailer was using, KrebsOnSecurity said.

It's unknown exactly how successful the adversaries have been in compromising the systems of solution providers other than Wipro and Avanade, which both admitted this week they had been breached.

However, just last year, rewards program management firm Maritz Holdings sued Cognizant, alleging that a forensic investigation determined that hackers had broken into Maritz's systems and used that as a launching point for attacks against its loyalty program, ultimately siphoning off more than $11 million in fraudulent eGift cards, KrebsOnSecurity reported.

The forensic investigator for Maritz determined that attackers had run searches on the company's system for words and phrases connected to the Spring 2016 eGift card heist, KrebsOnSecurity reported.

Bob Venero, president and CEO of Holbrook, N.Y.-based Future Tech Enterprise, No. 115 on the CRN SP500, said many large IT outsourcing providers are doing their customers an injustice by not investing more in "protecting their customers information and data." Venero said he sees the Wipro breach as a supply chain security issue for customers that have been impacted via an IT service provider security hole.

"These IT service provider breaches are essentially supply chain breaches since the attacker used a phishing campaign to get into internal systems that housed customer information and data," Venero said. "We have worked with a lot of our customers to ensure a secure supply chain with audits associated with our own supply chain in support of our customers."

Steven Burke And O'Ryan Johnson Contributed To This Story