Industrial cybersecurity vendor Dragos on Wednesday said a known ransomware group breached its defenses and accessed threat intel reports, a SharePoint portal and a customer support system but ultimately failed in an elaborate extortion scheme that included private messages to company executives.
Dragos, a well-capitalized startup in the ICS security space, said its internal security controls caught and limited the damage from the intrusion, which began when the criminal group hacked into the personal email address of a new sales employee prior to their start date, and used their personal information to impersonate the Dragos employee and accomplish initial steps in the employee onboarding process.
“The group accessed resources a new sales employee typically uses in SharePoint and the Dragos contract management system. In one instance, a report with IP addresses associated with a customer was accessed, and we’ve reached out to the customer,” Dragos said in a statement documenting the incident.
The company published a timeline showing the hackers spent just over 16 hours and successfully accessed some data that include 25 Dragos intel reports normally available to paying customers and a contract management system.
Dragos said the unnamed ransomware actor also downloaded general use data from the company’s SharePoint and sent emails to company executives threatening to release the stolen data if the company refused to pay extortion demands.
“We investigated alerts in our corporate Security Information & Event Management (SIEM) and blocked the compromised account,” Dragos said, noting that its layered security controls prevented the threat actor from deploying ransomware in its network.
“They were also prevented from accomplishing lateral movement, escalating privileges, establishing persistent access, or making any changes to the infrastructure,” the company said.
“After they failed to gain control of a Dragos system and deploy ransomware, they pivoted to attempting to extort Dragos to avoid public disclosure.”
Dragos said it chose not to engage with the actor, despite multiple attempts to make contact via WhatApp messages that included references to family members of Dragos executives.
Dragos said it decided not to engage with the criminals and ignored all attempts at communication, despite the risk that the stolen data may be publicly released.
“The data that was lost and likely to be made public because we chose not to pay the extortion is regrettable. However, it is our hope that highlighting the methods of the adversary will help others consider additional defenses against these approaches so that they do not become a victim to similar efforts,” the company said.
Related: U.S. Warns Sophisticated ICS/SCADA Malware Can Damage Critical Infrastructure
Related: New Dragos OT-CERT Provides Free Industrial Cybersecurity Resources
Related: Dragos Becomes First Industrial Cybersecurity Unicorn After Raising $200 Million
Related: Five Threat Groups Target Industrial Systems: Dragos