Earlier this week, a known cybercriminal group unsuccessfully attempted to launch an extortion attack against Dragos, the industrial cybersecurity firm said on Wednesday.
The cybercriminal group impersonated a newly hired employee in order to gain access to some general resources available to new Dragos sales employees, 25 Dragos intel reports (normally available to customers) and its contract management system. However, the group failed to breach the firm’s internal network and was not able to launch ransomware. Its subsequent attempt to then extort Dragos was also unsuccessful, said the company.
“No Dragos systems were breached, including anything related to the Dragos Platform,” according to Dragos in a Wednesday statement. “We want to share this experience with the community, describe how we prevented it from being much worse, and, hopefully, help de-stigmatize security events.”
According to Dragos, on Monday the group started the attack by compromising the personal email address of an incoming sales employee before the new hire started with the company. The group then used the new hire's personal information to impersonate the employee and undergo several initial steps in the employee onboarding process.
“The group accessed resources a new sales employee typically uses in SharePoint and the Dragos contract management system,” said Dragos. “In one instance, a report with IP addresses associated with a customer was accessed, and we’ve reached out to the customer.”
The actor also unsuccessfully attempted to access various systems, including the Dragos messaging system, IT helpdesk system, Dragos financial system, Dragos RFP system, employee recognition system, marketing system and sales leads. However these attempts were blocked by role-based access control measures. While the group was also able to access the Dragos customer support system, it could not access data due to these role-based access control measures.
After the group failed to take over a Dragos system and deploy ransomware, it attempted to extort Dragos to avoid public disclosure by sending various messages to publicly known contacts of executives. These messages put pressure on the executives by including references to their family members and contacts, showing that the group had done a fair amount of research before launching the attack. However, Dragos said it did not engage with the cybercriminals. All in all it took over 16 hours between when the attack initially began to when Dragos disabled the user account, revoked all sessions and blocked criminal infrastructure from accessing Dragos resources.
Dragos did not disclose the cybercriminal group, only saying that the group wasn’t new and that known TTPs of the group include deploying ransomware and researching family details of targets. The firm said that it has added more verification steps to its onboarding process. It also noted that several of the attempts by the threat actor were due to multi-step access approval, and the company is looking into expanding the use of this approval process.
Dragos is a major player in the industrial control system security space that offers a cybersecurity platform for operational technology and a global threat intelligence and analytics sharing program for smaller providers. Critical infrastructure overall has been a major target for ransomware groups, as seen by the high-profile Colonial Pipeline hack. Per Dragos’ own “Year in Review” report, 605 ransomware attacks were tracked against industrial organizations in 2022, an 87 percent jump from the previous year.
“While the external incident response firm and Dragos analysts feel the event is contained, this is an ongoing investigation,” according to the firm. “The data that was lost and likely to be made public because we chose not to pay the extortion is regrettable. However, it is our hope that highlighting the methods of the adversary will help others consider additional defenses against these approaches so that they do not become a victim to similar efforts.”