Wider threat campaign behind Wipro breach

Security researchers have uncovered a large gift card-motivated campaign that targets victims with commercially available and Open Source marketing tools to launch phishing attacks.

Reports of the attack first emerged when Krebs on Security reported that attackers had compromised the IT systems of Indian IT services firm Wipro and were using them to launch attacks against some of its customers.

However, this attack is far from being an isolated incident, according to the latest threat intelligence report from RiskIQ. 

The report shows that the campaign is actually a highly-targeted and well-orchestrated operation with a reach that far exceeds the compromised infrastructure of Wipro, and involves a long list of targets dating back to 2016.

Although attribution cannot be confirmed, the group’s numerous concurrent attacks display hallmarks of some state-sponsored activity such as precision, organisation, and what appears to be a financial motive.

Infrastructure overlap in passive DNS, WHOIS, and SSL certificate data sets, the report said, enabled RiskIQ researchers to profile this group and identify its infrastructure.

“With RiskIQ’s data-collection grid and unique external view of threat actor operations, we could piece together a more complete picture of this group and their attack campaigns, tools, and possible motives,” said Yonathan Klijnsma, head researcher at RiskIQ.

“The sheer scale of the infrastructure involved in this campaign and the concerted effort to attack so many different organisations at once is both impressive and disturbing,” he said.

The report shows that the threat group used widely used email marketing and analytics tools to create effective email phishing campaigns and appear legitimate to targets’ network security.

The group mainly targets major gift card retailers, distributors and card processors. With access to this gift card infrastructure, the attackers use money transfer services, clearinghouses, and other payment processing institutions to get money out.

One of the PowerShell scripts used by the group, BabySharkPro, has previously been associated with North Korean threat activity. However, RiskIQ said this may have been a false flag put in place to mislead researchers.

Subsequent attacks on IT infrastructure organisations such as Wipro, the report said, represent broader targeting by the threat group likely in an attempt to widen its reach.

The report notes that while the threat actor group’s use of open-source tooling allowed them to scale their operations while limiting analysts ability to easily attribute activity to a known actor group based on tool reuse, the analysis by RiskIQ highlights how organisations can build off of a small set of network-based indicators or compromise (IOCs) to derive context about an adversary and their attack campaigns, the scope of their activity, and the overarching impact of the adversary’s overall operations.

“Using a multitude of data sets and pivot points, analysts can gain a broader knowledge of adversary infrastructure,” the report said.