Dragos Reveals a Security Incident & Failed Extortion Attempt

Dragos, an industrial cybersecurity company, has revealed a "cybersecurity event" where a cybercrime gang attempted to breach its defenses and infiltrate the internal network with the intention of encrypting devices for extortion. According to Dragos, the incident occurred on May 8th, 2023, and did not result in any breaches of Dragos systems or the Dragos Platform. Dragos' statement includes a detailed and transparent incident timeline completing in under 16.5 hours from incident to Dragos' forensic investigation and containment.

The attack reportedly originated from the compromise of an email account associated with a new hire at Dragos, and the attackers managed to access data stored on SharePoint, 25 public Intel reports, a customer support system, and a contract management system. However, Dragos' implementation of role-based access controls prevented the attackers from accessing sensitive systems such as those containing customer and financial data. Specifically, systems associated with employee recognition, financial, sales and marketing systems were inaccessible to the attackers. Without control of Dragos' systems the attackers could not deploy ransomware immediately turning their attention to initiating extortion attempts against Dragos executives.

Dragos executives did not respond to any of the attacker's messages even with the pressure the attackers  exerted, demonstrating they researched and had knowledge of some of the executive's family members. Five hours after the extortion messages were sent, Dragos responded to the incident by disabling the compromised new hire account, launched their investigation and blocked access from the cybercriminals' infrastructure. "We are confident that our layered security controls prevented the threat actor from accomplishing what we believe to be their primary objective of launching ransomware. They were also prevented from accomplishing lateral movement, escalating privileges, establishing persistent access, or making any changes to the infrastructure," said Dragos. Although Dragos is confident in the containment of the incident, their investigation is ongoing and new updates maybe released.