Dragos Inc. disclosed a cyber attack in which a threat actor obtained some corporate data, though the vendor said it prevented attempts to infiltrate its network that would have likely resulted in a ransomware attack.
In a blog post on Wednesday, Dragos revealed it responded to an attack Monday where a threat actor affiliated with a known cybercriminal group unsuccessfully attempted to extort the company. While the industrial cybersecurity and operational technology vendor did not name the criminal group, it did provide a timeline, the initial attack vector and a series of alarming extortion messages.
According to the blog post, the threat actor obtained “general use data” in resources for new sales hires. When Dragos executives ignored payment demands sent by text message, the attackers reached out to family members and multiple publicly known Dragos contacts. They also contacted senior Dragos employees through personal emails.
Dragos said it did not engage in communications with the attackers, despite escalation. Targeting non-employees, particularly family, is a growing extortion tactic used by criminal groups to pressure victims into paying.
“A known TTP [tactics, techniques and procedures] of this criminal group is to deploy ransomware. After they failed to gain control of a Dragos system and deploy ransomware, they pivoted to attempting to extort Dragos to avoid public disclosure,” Dragos wrote in the blog. “The cybercriminal’s texts demonstrated research into family details as they knew names of family members of Dragos executives, which is a known TTP. However, they referenced fictious email addresses for these family members.”
Dragos provided redacted screenshots of many of the text messages. It showed the attackers mentioned CISA and referred to the FBI’s Kaseya decryptor. One message stated, “They don’t care about you or your organization. Be like the hundreds of companies who’ve dealt with us appropriately.” Another message even included a photo, which shows the extent of the threat actor’s research, Dragos noted.
Dragos determined that the primary objective of the attack was to launch ransomware and said its layered security controls successfully prevented that stage of the attack. The vendor’s thorough activity logs, which “enabled rapid triage and containment,” was another contributing factor.
The blog post emphasized that no Dragos systems were breached, including anything related to the Dragos platform. It appears data was affected, however, and an investigation remains ongoing.
“The data that was lost and likely to be made public because we chose not to pay the extortion is regrettable,” the blog post read.
Attack chain
The attack against Dragos began after the threat actor compromised the personal email account of a new sales employee prior to the employee’s start date and used that access to impersonate the employee during the initial steps of the onboarding process. Dragos said the group accessed the company’s SharePoint instance, which is broadly used by enterprises for file and data sharing, and its contract management system.
Dragos blocked the compromised account after investigating alerts in its corporate SIEM system. Subsequently, incident response and third-party monitoring, detection and response services were implemented. The blog post did not mention if law enforcement was contacted, but it did outline lessons Dragos learned.
Firstly, to avoid the same attack vector, the vendor implemented additional verification steps to increase security around its onboarding process. Dragos said it may also expand multi-step access approval to protect critical systems.
The blog also recommended that enterprises harden identity and access management infrastructures, apply the principle of least privilege to all systems and services, and apply explicit blocks for known bad IP addresses. Continuous monitoring with tested incident response playbooks was also encouraged.
Despite the extortion threats to non-employees, Dragos said it experienced a positive outcome that reinforced its decision not to engage or negotiate with cybercriminals. Targeting employees’ family members is a known TTP of the criminal group, as Dragos emphasized, and it appears the tactic will only increase in use.
Alexander Leslie, threat intelligence analyst at Recorded Future, said he has observed a diversification of TTPs. Threat actors are working to not only make ransomware business models more sustainable as ransom payments decrease, he explained, but also get media attention and spread fear.
“Ransomware is being destabilized as a commodified business, so they have to diversify,” he said. “There’s so many new laws going into place, ransomware detections are getting better and we’re better at understanding their playbook. Because we are getting better at defense, they are getting desperate.”
Arielle Waldman is a Boston-based reporter covering enterprise security news.