The reported breach of Indian IT giant Wipro earlier this year was but one part in a series of campaigns carried out by a set of money-driven hackers over the last three years, researchers said Wednesday.
The scheme, as documented by cybersecurity company RiskIQ, covered essentially the whole ecosystem of companies involved in gift-card transactions – from distributors to payment processors to IT providers, with shopping-industry giants Best Buy, Costco, and Sears among the organizations targeted with phishing emails. The hackers employed open-source software whose use is difficult to attribute, and they even turned an anti-phishing training platform on its head to target organizations, the researchers said.
“RiskIQ has identified at least five distinct attack campaigns based off analysis of the actor-owned infrastructure,” the San Francisco-based company said in a report.
RiskIQ emphasized that the organizations listed were targeted — but not necessarily breached — by the hackers. However, the report notes, the hackers’ “operational tempo increased to ramp up targeting and scope over time, which indicates that they achieved at least some success throughout their campaigns.”
The hacking aimed at Wipro, first reported in April by journalist Brian Krebs, drew attention because of the size and multinational scope of the company. The IT consultancy and outsourcing company says it has over 170,000 employees and clients on six continents. With access to Wipro, the hackers were able to go after the networks of Wipro’s clients, Krebs reported.
Wipro has released few details about what it has called an “advanced phishing campaign” aside from saying it was investigating a potential breach. Asked what the company had done to shore up its security since the incident, Wipro said in a statement to CyberScoop: “We have now completed the necessary mitigation steps and these have been verified and validated by the independent forensic firm we had engaged to assist us in the investigation.”
“We have put in additional steps to further increase our security posture and continue to monitor our enterprise infrastructure at a heightened level of alertness,” Wipro added.
The new RiskIQ study shows how the hackers may have looked to replicate that formula of targeting IT providers for access to other organizations’ networks. In addition to Wipro, the attackers also probed Rackspace, a San Antonio-based cloud computing company, and Infosys, another Indian IT consulting company, RiskIQ said. The report follows analysis last month from threat intelligence company Flashpoint highlighting how the hackers appeared to be carrying out gift-card fraud in activity possibly dating back to 2015.
Risk IQ threat researcher Yonathan Klijnsma said he expects the hacking group to hit more IT suppliers in the future.
“We believe this targeting simply stems from these suppliers being part of the infrastructure piece for some of the real targets,” Klijnsma told CyberScoop.
Charles Carmakal, vice president at Mandiant, the incident response unit of cybersecurity company FireEye, said his analysts have been tracking the hackers who appear to be behind the gift-card scheme for years.
“Through our incident response engagements, FireEye Mandiant observed this actor leverage their access to victim environments to gain further access to other business partner environments,’ Carmakal told CyberScoop. “The actor commonly uses public or commercially available tools that may already exist in victim environments, such as ScreenConnect, EMCO Remote Installer, CleverControl, Teramind, and Kaseya, to maintain persistence and move laterally within compromised environments.”
Both criminal and allegedly state-sponsored hackers have exploited corporations’ reliance on third-party IT providers to expand their reach into target networks. For example, the group known as APT10, which U.S. officials and researchers have tied to China’s civilian intelligence agency, has reportedly compromised a string of remote IT management systems to steal corporate secrets.
The five malicious campaigns documented by RiskIQ came in waves, lasting a few weeks or months from 2016 to 2019, culminating in the targeting of Wipro. Those waves included short bursts of phishing emails that used landing pages that only stayed active for a day or two.
“It’s not something you just fall into and decide to start doing,” Klijnsma said of the elaborate hacking scheme, explaining why it could have predated the first campaign documented in the report.
Klijnsma said he and his colleagues believe the hackers responsible are cashing out the stolen gift cards but don’t have any insight into how they’re doing it or how much they’ve stolen. Criminal groups have been known to hire “money mules” – people otherwise uninvolved in the operation – to cash out on their stolen assets.