Cyber Incident Victim: Dragos

On May 8, 2023, the industrial cybersecurity company Dragos experienced a cybersecurity event initiated by a known cybercriminal group. The incident began when the threat actors compromised the personal email address of a new sales employee prior to their official start date at the company. Utilizing the personal information obtained from this compromise, the actors successfully impersonated the Dragos employee. This impersonation allowed them to complete initial steps in the company's employee onboarding process, thereby gaining unauthorized access to corporate resources. The primary point of entry was through Dragos's SharePoint cloud service and its contract management system.

During their access, which lasted approximately 16 hours, the threat actors downloaded what was described as "general use data." They also accessed 25 intelligence reports that are typically restricted and available only to Dragos customers. In one specific instance, a report containing IP addresses associated with a particular customer was accessed; Dragos subsequently reached out directly to inform this customer of the breach. The attackers attempted to move laterally from their initial access point to other critical internal systems. Their efforts targeted multiple Dragos systems, including its messaging platform, IT helpdesk, financial systems, request for proposal (RFP) system, employee recognition system, and marketing systems. However, these attempts to gain further access and escalate privileges were unsuccessful. The company's role-based access control (RBAC) rules effectively prevented the threat actors from breaching these additional areas of the network.

Approximately 11 hours into the attack, after failing to achieve deeper network penetration, the cybercriminal group shifted their strategy to extortion. They sent an extortion email to Dragos executives. This message was not read immediately as it was sent outside of business hours. It was reviewed five hours after it was sent. Within five minutes of the email being read, Dragos security personnel took decisive containment actions. They disabled the compromised user account, revoked all active sessions associated with that account, and blocked the cybercriminals' infrastructure, including specific IP addresses, from accessing any company resources.

Following the initial extortion attempt, the threat actors escalated their efforts to pressure the company. They sent messages via public contact forms and to the personal email addresses of Dragos executives and senior employees. These messages included threats to publicly disclose the incident. The extortion tactics intensified as the actors began to reference the names of family members of Dragos executives and senior employees, demonstrating they had conducted research into their personal lives. However, the email addresses they provided for these family members were fictitious. The criminals also placed phone calls and sent texts to continue their threats. Throughout this escalation, Dragos maintained a firm policy of not engaging with the threat actors. Company leadership stated that paying the extortion demand was never considered an option.

Dragos initiated its incident response procedures promptly upon detection. The investigation began with an analysis of alerts within the company's corporate Security Information and Event Management (SIEM) system. The company activated its incident response retainer with the cybersecurity firm Crowdstrike and engaged its third-party Monitoring, Detection, and Response (MDR) provider to manage the response efforts. An external incident response firm, alongside internal Dragos analysts, assessed that the event was contained. The investigation was noted as ongoing. The company expressed confidence that its layered security controls prevented the threat actors from achieving their primary objective, which was believed to be the deployment of ransomware within the network. The security measures also prevented lateral movement, privilege escalation, the establishment of persistent access, and any changes to the infrastructure.

The company acknowledged that some data was lost and was likely to be made public due to the decision not to pay the extortion demand. This data consisted of the general use information and the 25 intelligence reports downloaded from the SharePoint and contract management systems. The primary impact was considered to be reputational and a violation of customer trust regarding the accessed reports, rather than a operational network breach. Dragos emphasized that no systems related to its core Dragos Platform cybersecurity product were breached at any point during the incident.

In the aftermath, Dragos identified specific Indicators of Compromise (IOCs) associated with the attack. These included two IP addresses: 144.202.42.216 and 162.33.179.126. The IP address 144.202.42.216 had been previously observed by security researchers hosting tools commonly associated with ransomware operations, such as SystemBC malware and the Cobalt Strike penetration testing framework. This particular IP has been linked to numerous ransomware groups, including Conti, ViceSociety, BlackCat, Quantum, Zeppelin, and Play. Some researchers also noted its use in recent BlackBasta ransomware attacks. The threat actors used the email address [email protected] for communication purposes. As a direct lesson learned from the event, Dragos implemented an additional verification step to harden its employee onboarding process and prevent a repeat of the impersonation technique used in this attack. The company also highlighted the critical role that verbose system activity logs played in enabling the rapid triage and containment of the security event.