An attempted ransomware bid got personal this week for Dragos CEO Robert M. Lee when would-be extortionists, desperate to secure a payday, resorted to phoning his wife and 5-year-old son.
Lee and his company are known in industrial security circles for helping businesses in critical infrastructure mitigate cyberattacks. But the firm found itself on the receiving end of an extortion attempt after threat actors gained access to Dragos’ Sharepoint environment and contract management system.
Hackers claim they exfiltrated 130GB of data, including details of at least one government contract, but Dragos says internal systems, including the Dragos platform, were not impacted due to effective role-based access controls (RBAC). The company's was not encrypted by the attackers, and it has not paid a ransom.
In the past, Lee has advised openness and transparency to destigmatize security incidents and on Wednesday Dragos stuck to that playbook, posting a detailed account of its own breach.
The incident began on Monday when an unnamed “known criminal group” gained access to select Dragos' systems by compromising the personal email address of a new sales employee prior to their start date.
The group then impersonated the new employee and completed initial steps in the company’s onboarding process. The activity was eventually flagged in an alert from their Security Information & Event Management, and the compromised account was blocked.
The company then contacted detection and incident response providers for a larger investigation.
“We are confident that our layered security controls prevented the threat actor from accomplishing what we believe to be their primary objective of launching ransomware,” the blog stated. “They were also prevented from accomplishing lateral movement, escalating privileges, establishing persistent access, or making any changes to the infrastructure.”
Dragos published a timeline of the incident showing that while the group was able to access the company’s SharePoint platform and contract management system, RBAC defeated their attempts to access other systems, including Dragos’ messaging, IT helpdesk, financial, request for proposal (RFP), employee recognition, and marketing systems.
From ransomware attempt to extortion threats
Eleven hours after the initial breach, and having failed to deploy ransomware, the group switched to attempting to extort the company by reaching out to its executives, threatening to publicly disclosure the incident.
Lee told Bloomberg the hackers called his 5-year-old son on a phone the child used to communicate with his grandmother. The boy handed the phone to his mother, who hung up. The hackers called Lee’s wife in a separate call, he said.
“The criminals obviously grew frustrated because we never attempted to contact them. Paying was never an option,” Lee wrote on Twitter.
“They continued to call me, threaten my family, and the family of many of our employees by their names.”
Dragos’ post includes screenshots of WhatsApp messages sent to the executives which included references to REvil’s 2021 ransomware attack on Kaseya, when it was reported the FBI had access to the group’s encryption key for nearly three weeks before handing it over to Kaseya.
“[The FBI] don’t care about you or your organization. Be like the hundreds of companies who’ve deal [sic] with us appropriately,” one of the WhatsApp messages said.
The aftermath of the attack
Dragos said while its analysts and investigators believe the event was contained, an investigation is ongoing.
“The data that was lost and likely to be made public because we chose not to pay the extortion is regrettable. However, it is our hope that highlighting the methods of the adversary will help others consider additional defenses against these approaches so that they do not become a victim to similar efforts.”
Bloomberg said it contacted a hacker via Telegram who claimed credit for the attack and described it as opportunistic. The hacker denied contacting Lee’s son but acknowledged reaching out to his wife and said 130GB of files had been stolen from the company.
“The hacker provided Bloomberg with a copy of a contract between Dragos and the 67th Cyberspace Wing of the U.S. Air Force outlining a research and development agreement. The six-page document outlines an agreement for Dragos to receive network information regarding the Department of Defense’s industrial control system environment.”
Lee confirmed to Bloomberg that the contract was legitimate.
Online malware repository VX-Underground posted on Twitter a screenshot of a Telegram channel that appeared to be operated by an actor involved in the attack. The actor denied there was any intention to deploy encryption malware and accused Dragos of attempting to downplay the incident.
Dragos said it had added an additional verification step to harden its onboarding process to ensure the technique could not be repeated.
“Every thwarted access attempt was due to multi-step access approval. We are evaluating expanding the use of this additional control based on system criticality. Positive outcomes further reinforce our resolve to not engage or negotiate with cybercriminals. Verbose system activity logs enabled the rapid triage and containment of this security event,” the company wrote.
Lee said on Twitter the new staff member whose personal email address was compromised “will absolutely be one of our valued employees (when they get their accounts back). We don’t blame victims at Dragos and no one else should either.”