Last week, I wrote about the Wipro hack (if you didn’t see that post, click on the search box and enter Wipro). While Wipro is being pretty close-mouthed about what happened due to the inevitable lawsuits, SLA complaints and even claims of breached contracts, it isn’t stopping the media from reporting on it.
In fact, Wipro would probably have been better off addressing the issue rather than attempting, unsuccessfully, to stonewall the media.
When Brian Krebs, who was the first to report on this, reached out Wipro for a comment, they took several days and then came back with a non-answer that said how wonderful their security was.
Apparently their incident response program didn’t include how to deal with the media.
After Brian’s story broke, Wipro decided to talk to an (perhaps more friendly) Indian media outlet and reported that they had a breach. They did not reach out to Brian.
The next day they had a quarterly investor conference call (bad timing for them) and their CEO said that many of Brian’s details were in error. They basically said that the issue was handled.
Brian then asked Wipro’s CEO what parts of the story were in error, instead of responding, he read some PR statement about their response to the incident.
Note that if you are going to call a reporter a liar, you probably ought to be able to back that up, because the reporter is likely to call you out on it otherwise.
The CEO did agree to have a one on one call with Brian, a statement that another reporter recorded and posted on twitter.
During the follow up call, the CEO took issue with Brian’s statement that the incident lasted months. When Brian asked when it did start, the CEO said he didn’t know but surely it wasn’t months.
It would seem that if you are going to put your CEO on a one on one call with a reporter, you probably ought to make sure that the CEO is prepared.
The CEO also claimed that the company was hit by a zero-day attack. Given that they are a very large IT services firm, that doesn’t seem like a great defense. Certainly, no one is bulletproof, but you need evidence.
When asked about the details of the zero-day, they have been quiet other than to say that they shared the details with their anti-virus vendor- and apparently no one else.
That is very unusual for zero-days. Generally, if you think you have uncovered something new, you want to let others know so that they don’t get hit by the same attack.
In reality, they probably meant, according to Brian, that zero-day in this context means an attack that their anti-virus software didn’t catch. Unfortunately, nowadays, that is not much of a surprise. Anti-virus software, unless it is very special (and there are a few such products but not any of the typical mainstream ones) it will only catch basic attacks.
A few hours after the call, Brian heard from one of Wipro’s customers in the US. They decided to sever all electronic communications with Wipro as a result of the attack since Wipro was found to be attacking this customer. This is the exact right thing to do. Disconnect now and then figure out IF and WHEN you should reconnect. This should only happen after the customer is sure they are safe.
A large retailer who is a Wipro customer said that the attackers used the compromise to execute a gift card fraud attack. Something that would generate cash right away.
India has no laws requiring a company to disclose a breach, so anyone who is outsourcing to India (and other countries) needs to make sure that contractually the outsourcer must report and report within, say, 24 hours, any cyber incident to the customer. That way, if it doesn’t happen, it is a breach of contract that be dealt with in any number of ways. Source: Brian Krebs.
Since this story won’t go away, Brian reported the next day that not only was Wipro attacked, but other Indian outsourcers were attacked. Specifically, Infosys and Cognizant were also attacked.
It appears that some of the companies the hackers were after were Sears, Green Dot (the prepaid credit card company), Evalon (credit card processor), Rackspace, Avanade, Capgemini and others. Looking at this list, it is clear the attackers want fast money (Sears) but also more victims by attacking a bunch of outsourcers like Rackspace, Avanade and Capgemini.
Sourcces are saying that the attack may have been initiated by hacking a remote desktop software, Screen Connect. That is consistent with an alert I got from Homeland Security over the weekend that said that hackers were using remote access software to perpetrate attacks and mentioned Screen Connect by name. Possibly that is a coincidence, but I doubt it due to the timing.
Some of the companies mentioned confirmed the attack in this additional post of Brian’s, here.
Bottom line is that when it comes to breaches, stonewalling DOES NOT WORK. Period. Plan your response long before you are going to need it. That is just smart. The media will keep reporting on it until you either deal with the core issues or look like a bumbling idiot, Wipro opted for the second in my opinion.