Dragos Discloses ‘Failed Extortion Scheme’ By Cybercriminals That Accessed Onboarding Resources

The industrial cybersecurity vendor says in a post that it’s aiming to help ‘de-stigmatize security events’ by disclosing the incident from earlier this week.


Dragos said Wednesday that while a cybercriminal group fell short of achieving its end goals after gaining access to some of the company’s internal onboarding resources for new employees, the industrial cybersecurity vendor opted to publicly disclose the incident in part to encourage others to do the same when they’re hit with a security incident.

The Hanover, Md.-based company disclosed the “cybersecurity event” in a blog post just two days after a “known cybercriminal group,” which was not identified, failed in its attempt to extort Dragos executives.

[Related: CrowdStrike: More Cybercriminals Ditching Ransomware To Focus On Data Extortion]

Sponsored post

During the May 8 incident, the cybercriminal organization was able to access some resources for new Dragos sales employees in the company’s SharePoint and contract management systems, as well as a report associated with one customer, according to Dragos. The company said it has reached out to the potentially affected customer.

“No Dragos systems were breached, including anything related to the Dragos Platform,” the company said in the post.

The initial access came through the compromise of a new sales employee’s personal email address ahead of their start date, Dragos said.

The threat actor “subsequently used their personal information to impersonate the Dragos employee and accomplish initial steps in the employee onboarding process,” the company said.

The group has been known to launch ransomware attacks in the past, but “failed to gain control of a Dragos system and deploy ransomware,” Dragos said.

After that, the attackers “pivoted to attempting to extort Dragos to avoid public disclosure,” but the company “did not engage,” according to the post.

‘De-Stigmatizing’ Security Incidents

Dragos decided to publicly disclose the details of the “failed extortion scheme” for the sake of transparency, and out of “a commitment to providing educational material to the community,” the company said.

Additionally, “we want to share this experience with the community, describe how we prevented it from being much worse, and, hopefully, help de-stigmatize security events,” Dragos said.

In an email to CRN, Dragos CISO Steve Applegate wrote that “organizations have understandably been concerned about reputational damage from security events, and this can cause them to withhold security information that could benefit the broader community.”

“As cyberattacks grow in sophistication and number, there needs to be an attitudinal shift toward transparency and collaboration,” Applegate wrote.

Going forward, Dragos has instituted another verification step in its onboarding process to “ensure that this technique cannot be repeated,” the company said in the blog post Wednesday.

Notably, “every thwarted access attempt [during the attack] was due to multi-step access approval,” Dragos said — adding that it is now “evaluating expanding the use of this additional control based on system criticality.”