ICS/OT

Dragos Says Ransomware Gang Accessed Limited Data but Failed at Extortion Scheme 

ICS cybersecurity vendor Dragos discloses breach and data theft but says ransomware group failed at elaborate extortion scheme.

ICS cybersecurity vendor Dragos discloses breach and data theft but says ransomware group failed at elaborate extortion scheme.

Industrial cybersecurity vendor Dragos on Wednesday said a known ransomware group breached its defenses and accessed threat intel reports, a SharePoint portal and a customer support system but ultimately failed in an elaborate extortion scheme that included private messages to company executives.

Dragos, a well-capitalized startup in the ICS security space, said its internal security controls caught and limited the damage from the intrusion, which began when the criminal group hacked into the personal email address of a new sales employee prior to their start date, and used their personal information to impersonate the Dragos employee and accomplish initial steps in the employee onboarding process. 

“The group accessed resources a new sales employee typically uses in SharePoint and the Dragos contract management system. In one instance, a report with IP addresses associated with a customer was accessed, and we’ve reached out to the customer,” Dragos said in a statement documenting the incident.

The company published a timeline showing the hackers spent just over 16 hours and successfully accessed some data that include 25 Dragos intel reports normally available to paying customers and a contract management system. 

Dragos said the unnamed ransomware actor also downloaded general use data from the company’s SharePoint and sent emails to company executives threatening to release the stolen data if the company refused to pay extortion demands.

“We investigated alerts in our corporate Security Information & Event Management (SIEM) and blocked the compromised account,” Dragos said, noting that its layered security controls prevented the threat actor from deploying ransomware in its network.

“They were also prevented from accomplishing lateral movement, escalating privileges, establishing persistent access, or making any changes to the infrastructure,” the company said.

“After they failed to gain control of a Dragos system and deploy ransomware, they pivoted to attempting to extort Dragos to avoid public disclosure.”

Advertisement. Scroll to continue reading.

Dragos said it chose not to engage with the actor, despite multiple attempts to make contact via WhatApp messages that included references to family members of Dragos executives.

Dragos said it decided not to engage with the criminals and ignored all attempts at communication, despite the risk that the stolen data may be publicly released.

“The data that was lost and likely to be made public because we chose not to pay the extortion is regrettable. However, it is our hope that highlighting the methods of the adversary will help others consider additional defenses against these approaches so that they do not become a victim to similar efforts,” the company said.

Related: U.S. Warns Sophisticated ICS/SCADA Malware Can Damage Critical Infrastructure

Related: New Dragos OT-CERT Provides Free Industrial Cybersecurity Resources

Related: Dragos Becomes First Industrial Cybersecurity Unicorn After Raising $200 Million

Related: Five Threat Groups Target Industrial Systems: Dragos

Related Content

Ransomware

The US is offering a reward of up to $10 million for information on BlackCat ransomware affiliates that targeted US critical infrastructure.

Incident Response

Although the attack on the national library of the UK occurred five months ago, the Library’s infrastructure won’t be rebuilt until mid-April 2024, and...

Ransomware

The Rhysida ransomware group has taken credit for the cyberattack on MarineMax and is offering to sell stolen data for 15 bitcoin.

Data Breaches

The HHS is investigating whether protected health information was compromised in the Change Healthcare data breach.

Data Breaches

Nissan is notifying roughly 100,000 individuals of a data breach resulting from a ransomware attack conducted by the Akira cybercrime group.

Cybercrime

Mikhail Vasiliev was sentenced to prison in Canada and faces additional charges in the US for his role in the LockBit ransomware operation.

Data Breaches

Stanford University is notifying 27,000 people of a data breach impacting their personal information.

Data Breaches

EquiLend is informing its employees that their personal information was compromised in a January ransomware attack.

Copyright © 2024 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version