Industrial control system cybersecurity firm Dragos Inc. has disclosed an attempted extortion attempt that involved those behind it going as far as threatening to contact the chief executive’s wife and five-year-old son.

The disturbing extortion attempt started when a known cybercriminal group, one not named by Dragos, attempted to compromise the company’s information resources. The group gained access to the personal email address of an employee before the person’s start date and then used that information to impersonate the employee and gain access to the company’s employee onboarding process.

The group was able to access the resources a new sales employee typically uses in SharePoint and the Dragos contract management system. In one instance, a report with IP addresses associated with a Dragos customer was accessed. The customer has since been informed.

Dragos’ Security Information and Event Management system alerted the company to the access and blocked the compromised account. Dragos activated its incident response retainer with CrowdStrike Holdings Inc. and engaged a third-party monitoring, detection and response provider to manage incident response efforts.

The investigation found that Dragos’ layered security controls prevented the threat actor from accomplishing what is believed to have been their primary objective: launching ransomware. The internal systems also prevented the attackers from undertaking lateral movement, escalating privileges, establishing persistent access or making any changes to the company’s infrastructure.

This is where the story should have ended, but then it took a bizarre twist as the attack group tried to extort Dragos to avoid public disclosure. As part of the threat group’s pressure tactics, they threatened to contact CEO Robert M. Lee’s wife and five-year-old son. The threat actor also contacted senior Dragos employees via personal email.

“Dragos has a culture of transparency and a commitment to providing educational material to the community,” the company said in a blog post Wednesday. “This is why it’s important to us to share what happened during a recent failed extortion scheme against Dragos.”

Ryan Bell, threat intelligence manager at cyber insurance company Corvus Insurance Holdings Inc., told SiliconANGLE that the incident is the latest example of attackers increasingly using data theft for extortion.

“The use of data theft for extortion is on the rise, as evidenced by the increasing number of traditional ransomware groups employing ‘double extortion’ tactics — conducting both data theft and encryption,” Bell explained. “Threat actors will use the personal information of employees to try and build leverage.”

Stuart Wells, chief technology officer at identity verification solutions provider Jumio Corp., said the announcement from Dragos “proves no organization is safe from cybercriminals and that identity verification is vital from the moment a user begins the initial onboarding process.”

“Cybercriminals are getting bolder and smarter and going after a cybersecurity company underscores that any company’s data can be a target,” Wells added. “Organizations must be equipped to protect their data, and their customer’s data, which starts with a strong foundation of user verification and authentication.”

Image: Dragos