Security News
Dragos Discloses ‘Failed Extortion Scheme’ By Cybercriminals That Accessed Onboarding Resources
Kyle Alspach
The industrial cybersecurity vendor says in a post that it’s aiming to help ‘de-stigmatize security events’ by disclosing the incident from earlier this week.
Dragos said Wednesday that while a cybercriminal group fell short of achieving its end goals after gaining access to some of the company’s internal onboarding resources for new employees, the industrial cybersecurity vendor opted to publicly disclose the incident in part to encourage others to do the same when they’re hit with a security incident.
The Hanover, Md.-based company disclosed the “cybersecurity event” in a blog post just two days after a “known cybercriminal group,” which was not identified, failed in its attempt to extort Dragos executives.
[Related: CrowdStrike: More Cybercriminals Ditching Ransomware To Focus On Data Extortion]
During the May 8 incident, the cybercriminal organization was able to access some resources for new Dragos sales employees in the company’s SharePoint and contract management systems, as well as a report associated with one customer, according to Dragos. The company said it has reached out to the potentially affected customer.
“No Dragos systems were breached, including anything related to the Dragos Platform,” the company said in the post.
The initial access came through the compromise of a new sales employee’s personal email address ahead of their start date, Dragos said.
The threat actor “subsequently used their personal information to impersonate the Dragos employee and accomplish initial steps in the employee onboarding process,” the company said.
The group has been known to launch ransomware attacks in the past, but “failed to gain control of a Dragos system and deploy ransomware,” Dragos said.
After that, the attackers “pivoted to attempting to extort Dragos to avoid public disclosure,” but the company “did not engage,” according to the post.
‘De-Stigmatizing’ Security Incidents
Dragos decided to publicly disclose the details of the “failed extortion scheme” for the sake of transparency, and out of “a commitment to providing educational material to the community,” the company said.
Additionally, “we want to share this experience with the community, describe how we prevented it from being much worse, and, hopefully, help de-stigmatize security events,” Dragos said.
CRN has reached out to Dragos for further comment.
Going forward, Dragos has instituted another verification step in its onboarding process to “ensure that this technique cannot be repeated,” the company said.
Notably, “every thwarted access attempt [during the attack] was due to multi-step access approval,” Dragos said — adding that it is now “evaluating expanding the use of this additional control based on system criticality.”
