Salesloft Drift customers are compromised in a much more expansive downstream attack spree than previously thought, potentially ensnaring any user that integrated the AI chat agent platform to another service.

“We’re telling organizations to treat any Drift integration into any platform as potentially compromised, so that increases the scope of victims,” Mandiant Consulting CTO Charles Carmakal told CyberScoop. This expanded attack radius includes Google Workspace customers that integrated Salesloft Drift into their instances. Victims have been notified that Google has found evidence of compromise.

Freshly uncovered evidence proves the threat actors, which Google tracks as UNC6395, didn’t just hit Salesforce customers who used Salesloft Drift, as Salesloft claimed Tuesday. 

“This just really blows wide open the scope here,” said Austin Larsen, principal threat analyst at Google Threat Intelligence Group.

Salesloft Drift provides integrations with 58 third-party tools for customer relationship management, automation, analytics, sales, communications and support, according to a third-party integration guide the vendor updated last month.

Salesloft updated its security blog to confirm that impact is much more severe and widespread. The company said it’s working with Mandiant, Google Cloud’s incident response division, and cyber insurer Coalition to assist in an ongoing investigation.

The sales engagement platform, a variant of CRM, is now recommending all Drift customers who manage connections to third-party applications via API key to revoke the existing key and rotate to a new key. Salesloft, which acquired Drift in February 2024, did not respond to a request for comment. 

In response to the widening security incident, Salesforce said late Wednesday it disabled the connection between Drift and Salesforce, rendering those integrations defunct. Salesforce declined to answer questions and maintains the issue does not involve a vulnerability in the Salesforce platform.

While the number of victims has grown, Google is sticking to the estimates it shared Tuesday, reiterating that more than 700 organizations are potentially impacted. Yet, it’s clear researchers are still working to identify all potential paths of compromise. 

“We’ve seen evidence of other platforms that were impacted as well,” Carmakal said.

The exposure could also involve former Drift customers. Mandiant identified one victim that may have been a former Drift customer, but researchers are still working to confirm those details. 

GTIG said the financially motivated threat group UNC6395 has also retrieved OAuth tokens for multiple services, including some that allowed it to “access email from a very small number of Google Workspace accounts.” The attackers primarily sought to steal credentials to compromise other systems connected to initial victims, as it specifically searched for Amazon Web Services access keys, virtual private network credentials and Snowflake credentials.

The root cause of the attacks, specifically how UNC6395 gained initial access to Salesloft Drift, remains unconfirmed. Researchers are also working to determine the full extent of the compromise within Salesloft Drift’s infrastructure.

“We are working with Salesloft Drift to investigate the root cause of what occurred and then it’ll be up to them to publish that,” Carmakal said. “There will be a lot more tomorrow, and the next day, and the next day.”

The post Salesloft Drift compromised en masse, impacting all third-party integrations appeared first on CyberScoop.

Data from sensors that detect threats in critical infrastructure networks is sitting unanalyzed after a government contract expired this weekend, raising risks for operational technology, a program leader at Lawrence Livermore National Laboratory told lawmakers Tuesday.

That news arrived at a hearing of a House Homeland Security subcommittee on Stuxnet, the malware that was discovered 15 years ago after it afflicted Iran’s nuclear centrifuges. The hearing focused on operational technology (OT), used to monitor and control physical processes in things like manufacturing or energy plants.

Amid a Department of Homeland Security review of contracts, the arrangement between the laboratory and DHS’s Cybersecurity and Infrastructure Security Agency to support the CyberSentry program expired Sunday, the laboratory program manager Nathaniel Gleason told lawmakers under questioning Tuesday. An agency official told CyberScoop later Tuesday that the program is still operational.

CyberSentry is a voluntary program for critical infrastructure owners and operators to monitor threats in both their IT and OT networks.

“We’re looking for threats that haven’t been seen before,” Gleason told California Rep. Eric Swalwell, the top Democrat on the Subcommittee on Cybersecurity and Infrastructure Protection. “We’re looking for threats that exist right now in our infrastructure. One of the great things about the CyberSentry program is that it takes the research and marries it with what is actually happening on the real networks. So we’re not just doing science projects. We’re deploying that technology out in the real world, detecting real threats.”

But the lab can’t legally analyze the data from the CyberSentry sensors without funding from government agencies, and funding agreements were still making their way through DHS processes before the contract expired this weekend, he said.

“One of the most important things is getting visibility into what’s happening on our OT networks,” Gleason said. “We don’t have enough of that. So losing this visibility through this program is a significant loss.”

Spokespeople for the lab did not immediately provide further details on the size or length of the contract. Other threat hunting contracts have also expired under the Trump administration. 

Chris Butera, CISA’s acting executive assistant director for cybersecurity, said in a statement to CyberScoop that the “CyberSentry program remains fully operational.”

“Through this program, CISA gains deeper insight into network activity of CyberSentry partners, which in turn helps us to disseminate actionable threat information that critical infrastructure owners and operators use to strengthen the security of their networks and to safeguard American interests, people, and our way of life,” Butera said. “CISA routinely reviews all agreements and contracts that support its programs in order to ensure mission alignment and responsible investment of taxpayer dollars. CISA’s ongoing review of its agreement with Lawrence Livermore National Laboratory has not impacted day-to-day operations of CyberSentry and we look forward to a continued partnership.”

Tatyana Bolton, executive director of the Operational Technology Cyber Coalition, told the subcommittee there aren’t enough federal OT cybersecurity resources in general.

“We must better resource OT security,” Bolton said. “From addressing the growing tech debt,  hiring cybersecurity experts, to procuring and building updated systems, OT owners and operators don’t have the necessary funding to defend their networks.”

Those owners and operators spend 99 cents of every dollar on physical security and 1 cent on cybersecurity, she said. Reauthorizing the State and Local Cybersecurity Grant Program, due to expire in September, would help with that, Bolton said.

The Trump administration has made large cuts in CISA’s budget since the president took office in January.

This story was updated July 22 with comments from CISA’s Chris Butera.

The post Contract lapse leaves critical infrastructure cybersecurity sensor data unanalyzed at national lab  appeared first on CyberScoop.