“KyivWarrior” Claims to be Behind Dragos Breach

According to vx-underground, a threat actor named KyivWarrior claims to be behind the Dragos breach.

“On May 8, 2023, a known cybercriminal group attempted and failed at an extortion scheme against Dragos. No Dragos systems were breached, including anything related to the Dragos Platform,” the company said.

The intruder claims to have the confidential data of Dragos; it has yet to state which ransomware group it belongs to.

A Threat Actor named "KyivWarrior" claims to be the individual responsible for the Dragos breach. They also claim to have persistent access to Dragos.

KyivWarrior has not stated which ransomware group they belong to.

*Name, faces, and details have been censored pic.twitter.com/S9oogYtqrl

— vx-underground (@vxunderground) May 15, 2023

Let’s dig into the details

The criminal organization gained entry by compromising the personal email address of a newly hired sales staff member before their official commencement. It subsequently utilized their details to impersonate the Dragos employee and complete initial tasks in the employee onboarding procedure.

Following the breach of Dragos’ SharePoint cloud platform, the attackers obtained and retrieved “general purpose data” and managed to retrieve 25 intelligence reports that were typically exclusive to customers.

If you read the Dragos breach disclosure and didn't immediately ping your IT team to ask them how they're verifying new hires are who they say they are…

…what are you waiting for?

— Matt Johansen (@mattjay) May 11, 2023

Throughout the 16-hour period in which they had control over the employee’s account, the threat actors were unsuccessful in accessing various other Dragos systems, including its messaging, IT support desk, financial, request for proposal (RFP), employee recognition, and marketing systems, primarily due to the implementation of role-based access control (RBAC) regulations.

What happened next…

After their unsuccessful attempt to penetrate the company’s internal network, the criminals dispatched an extortion email to Dragos executives approximately 11 hours into the attack. Due to it being sent outside of regular business hours, the message was only read 5 hours later.

The criminals obviously grew frustrated because we never attempted to contact them. Paying was never an option. They continued to call me, threaten my family, and the family of many of our employees by their names. We hope sharing this can help other organizations prepare.

— Robert M. Lee (@RobertMLee) May 10, 2023

Five minutes after reading the extortion message, Dragos deactivated the compromised user account, terminated all ongoing sessions, and barred the cybercriminals’ infrastructure from gaining access to company assets.

Key takeaways

Dragos being responsible, implemented an extra authentication measure to reinforce the robustness of their onboarding process and guarantee the prevention of a recurrence of this method. They committed to avoiding engagement with cybercriminals in future.

With this claim made by KyivWarrior comes new challenges for Dragos. They should take some actions to learn about their claim’s authenticity and take action accordingly.