Dragos faced ‘failed extortion scheme’ by known cybercriminal group, though its systems were not breached

Industrial cybersecurity vendor Dragos announced that a known cybercriminal group attempted and failed at an extortion scheme against the company on Sunday. It also disclosed that ‘no Dragos systems were breached, including anything related to the Dragos Platform,’ and that its investigation is ongoing, and ‘will reach out directly if we learn of additional effects on our customers.’

“The criminal group gained access by compromising the personal email address of a new sales employee prior to their start date, and subsequently used their personal information to impersonate the Dragos employee and accomplish initial steps in the employee onboarding process,” Dragos said in a Wednesday blog post. “The group accessed resources a new sales employee typically uses in SharePoint and the Dragos contract management system. In one instance, a report with IP addresses associated with a customer was accessed, and we’ve reached out to the customer.”

The Hanover, Maryland-headquartered company investigated alerts in its corporate Security Information & Event Management (SIEM) and blocked the compromised account. “We promptly activated our incident response retainer with a leading service provider and engaged our third-party Monitoring, Detection & Response (MDR) provider to manage incident response efforts. We are confident that our layered security controls prevented the threat actor from accomplishing what we believe to be their primary objective of launching ransomware,” it added. 

Commenting on the incident, Robert Lee, Dragos’ CEO and co-founder wrote in a series of Twitter messages that “I appreciate everyone’s support on our security event. Not to make light of it but I’m proud of our security team for stopping the criminals at a single onboarding employee’s email account. No internal systems were compromised. No criminals paid. Transparency and defense can win.”

“The criminals obviously grew frustrated because we never attempted to contact them. Paying was never an option. They continued to call me, threaten my family, and the family of many of our employees by their names. We hope sharing this can help other organizations prepare,” Lee added. 

He also clarified that “to be clear the person who’s personal email address was compromised before they started onboarding at Dragos will absolutely be one of our valued employees (when they get their accounts back). We don’t blame victims at Dragos and no one else should either.”

In its post, Dragos added that the hackers were also prevented from accomplishing lateral movement, escalating privileges, establishing persistent access, or making any changes to the infrastructure. It revealed that a known TTP (tactics, techniques, and procedures) of this criminal group is to deploy ransomware. “After they failed to gain control of a Dragos system and deploy ransomware, they pivoted to attempting to extort Dragos to avoid public disclosure,” it added. 

The post added that the next activity was to expand tactics to include references to family members and contacts. “The cybercriminal continued to escalate their messages, Dragos did not engage. The cybercriminal continued reaching out to multiple publicly known Dragos contacts to elicit a response.”

Dragos also added that the cybercriminal’s texts demonstrated research into family details as they knew the names of family members of Dragos executives, which is a known TTP. “However, they referenced fictitious email addresses for these family members. In addition, during this time, the cybercriminal contacted senior Dragos employees via personal email.” 

The company’s decision ‘was that the best response was to not engage with the criminals.’

While the external incident response firm and Dragos analysts feel the event is contained, this is an ongoing investigation, the post disclosed. “The data that was lost and likely to be made public because we chose not to pay the extortion is regrettable. However, it is our hope that highlighting the methods of the adversary will help others consider additional defenses against these approaches so that they do not become a victim to similar efforts,” it added.

The disclosure is part of Dragos’ culture of transparency and a commitment to providing educational material to the community. “This is why it’s important to us to share what happened during a recent failed extortion scheme against Dragos in which a cybercriminal group attempted to compromise our information resources. We want to share this experience with the community, describe how we prevented it from being much worse, and, hopefully, help de-stigmatize security events,” the company added.

In response to this event, Dragos said that it “added an additional verification step to further harden our onboarding process and ensure that this technique cannot be repeated. Every thwarted access attempt was due to multi-step access approval.  We are evaluating expanding the use of this additional control based on system criticality. Positive outcomes further reinforce our resolve to not engage or negotiate with cybercriminals. Verbose system activity logs enabled the rapid triage and containment of this security event,” it added.

Commenting on the incident, Brian Harrell, former assistant secretary for infrastructure protection at the Department of Homeland Security (DHS), wrote in a statement that “while there were no impacts to customers, this is a clear-cut example on how to isolate, mitigate, recover, and disclose. Oftentimes, companies will go silent, circle the wagons, and refuse to be forthcoming when faced with a security concern. With nation-state adversaries targeting the vendor communities that serve critical infrastructure, this transparency model is one for others to emulate when faced with an issue.”

Zeroing in on one of the IP addresses listed in the IOCs (144.202.42[.]216) was previously spotted hosting SystemBC malware and Cobalt Strike, both commonly used by ransomware gangs for remote access to compromised systems. 

Will Thomas, a CTI researcher from Equinix, told BleepingComputer that SystemBC has been used by numerous ransomware gangs, including Conti, Vice Society, BlackCat, Quantum, Zeppelin, and Play, making it hard to pinpoint what threat actor is behind the attack. He added that the IP address has also been seen used in recent BlackBasta ransomware attacks, possibly narrowing down the suspects.

Dragos recommends hardening identity and access management infrastructure and processes, implementing separation of duties across the enterprise, applying the principle of least privilege to all systems and services, and implementing multi-factor authentication everywhere feasible. It also suggests applying explicit blocks for known bad IP addresses, scrutinizing incoming emails for typical phishing triggers, including the email address, URL, and spelling; and ensuring continuous security monitoring is in place, with tested incident response playbooks.

In February, Dragos revealed data that showed that ransomware attacks on industrial infrastructure organizations nearly doubled in 2022, with over 70 percent of all ransomware activity focused on manufacturing. Hackers also continue to broadly target many manufacturing sectors and subsectors. As ransomware activity increases, it results in more risk for OT (operational technology) networks, particularly networks with poor segmentation.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.