Dragos Security Event
A cybercriminal group gained access to Dragos sales resources on May 7, 2023. Below is the breakdown of what occurred & how we responded.
On May 7, 2023, a cybercriminal group gained access to Dragos sales resources by compromising the personal email address of a new sales employee prior to joining Dragos. The criminal used that email to impersonate the Dragos user and start the employee onboarding process, giving them unauthorized access to a contract management system and sales enablement resources.
Due to our layered security approach the criminals were not able to move beyond the unauthorized access; they attempted to move laterally to Dragos internal systems and were immediately unsuccessful. As part of our established incident response plan, we activated our incident response retainer with CrowdStrike, a recognized leader in IT incident response, to get their expertise and resources.
The investigation indicates that Dragos platform was not impacted; no privileged accounts were compromised; and the incident was contained to a single Dragos sales employee’s email account. CrowdStrike provided third-party validation that the incident was contained.
The criminal group did gain access to the Dragos contract management system, as well as certain files in a sales team SharePoint. We’ve worked quickly to identify the specific information accessed and to proactively communicate with our customers, both impacted and not impacted. Within 48 hours, we published a blog that outlines the sequence of events and provided indicators of compromise or TTPs. The information looks limited on the blog because the criminal was stopped at a single employee email account. We’ve chosen to be transparent about this event, as is a core tenet of our company’s culture, in hopes that this information is useful to other companies to protect against the initial access vector that the criminal used.
If you are a Dragos customer who has questions, please contact us at firstname.lastname@example.org.
Successful Access of Some Sales Information, A Failed Ransomware/Extortion Event
No company, especially a cybersecurity company, wishes to fall prey to these compromises. We take great care in instrumenting our security architecture, managing an aggressive security program, and training our employees. No approach can protect against every compromise, but ours minimized the impact of the event significantly.
Specifically, the criminal group gained access to Dragos sales resources by compromising the personal email address of a new sales employee prior to their start date. The criminal group subsequently used the new employee’s personal information to impersonate the Dragos user and accomplish initial steps in the employee onboarding process. The criminal group then accessed certain resources a new sales employee typically uses in SharePoint and the Dragos contract management system. In at least one instance, a report with IP (Internet protocol) addresses associated with a customer was accessed; we worked directly with that customer to review the information and evaluate the associated risk. What happened next was an example of the extreme nastiness of criminal gangs and their tactics.
The group pivoted from their original plan of ransom to a new strategy of extortion. Using external resources and open-source information, the group identified key executives, obtained their mobile numbers, viewed public social accounts, identified family members, and located the mobile numbers of those family members. The group sent numerous threatening messages and calls to executives and family members demanding a response and payment not to release information they had accessed, all while exaggerating claims of what they had accessed. These actions demonstrate a a process of rapid research and aggressive tactics of intimidation. Details on this can be found on our blog, Deconstructing a Cyber Event.
The intimidation failed. No one contacted the criminals, and no extortion payment was made. We know what was accessed due to our system logs, we leveraged outside response expertise, and we quickly worked to communicate the situation to our customers. As we described in the summary, the investigation indicated that no customer systems were impacted; no privileged accounts were compromised; and the incident was contained to a single sales account.
Criminal Claims vs. The Reality
The criminals claimed to have accessed 130Gb of data. We do not dispute this, but there’s important context missing in this claim. The contract management system saves a copy of each contract and accompanying file with every revision and forwarding. There are often dozens, or more, copies of the same contract in the system. As a result, it is easy to quickly get to 130Gb of data with far less unique data.
In addition, we had an open Zoom session “Zoom Bombed”. A Zoom video session for new hires, which is open by design, was accessed by someone claiming to be one of the criminals. A screen shot was used by the criminal to demonstrate “persistent access”. The screen shot was a list of apps that Dragos uses; there was no sensitive information presented in the session. This example is indicative of the criminal continually harassing us and attempting to use lies in the public to extort us – which we will not accommodate.
Protection of OT Security Systems
In our original blog post, we distinguished Dragos production systems (the Platform and customer ICS/OT access) from Dragos data. The Dragos production systems, inclusive of the Platform and our customer environments, were not accessed by the criminal. Regarding the data that was accessed, our investigation indicates that no privileged accounts were compromised.
Our Primary Focus – Response, Containment, & Remediation
Many have asked if we have identified the parties involved: attribution. We have chosen to focus on incident response, containment, and remediation – the recommended best practice in situations like this and what we recommend to our own customers in similar scenarios. We are not pursuing attribution, but we are working with law enforcement who historically pursues attribution and law enforcement actions where possible.
There also have been questions about why there is not more information about the incident and related TTPs. Simply put, because the criminal actor could not access Dragos production systems and could not execute on their intended ransomware/extortion scheme, there is not more to report. We have provided a detailed timeline and the associated indicators on Deconstructing a Cyber Event.
Dragos Provides OT Incident Response (IR) Services. We Called in IT IR Specialists
As many of our customers know, Dragos specializes not only in ICS/OT network security monitoring, but also in pairing that technology with incident response specialists. These responders are best-in-their-class for incident response–in ICS and OT systems. We specialize in ICS/OT incident response, not IT. Our decision to partner with a world-class leader in IT incident response, CrowdStrike, both recognizes our specialty across ICS/OT and provides us with third-party validation of containment and eradication of IT-centric threats. We often advise our clients to not send IT incident responders into ICS/OT environments; doing the reverse is equally ill-advised.
Maintaining Focus on Our Mission
All of us at Dragos have been concerned about this event. Our select response team has been working overtime to understand the details, to inform our customers, and to mitigate any impact. We are fortunate to have partners like CrowdStrike and law enforcement to provide resources and expertise. We will continue to examine the event, to continuously adjust our security controls in an ever-shifting security landscape, and to improve our response processes with the goal to never need to use this expertise on our own behalf again.
This serves as a reminder that cybercriminal activity remains a threat. The risks are real. Our mission to protect the OT systems of our customers is as critical as ever.