Full Report
Failing to disable a former employee’s account was a huge mistake
Analysis Summary
# Incident Report: Compromise of Municipal Water Utility via Dormant Account
## Executive Summary
A threat actor gained unauthorized access to a US city's network by exploiting a "zombie" account belonging to a former auditing employee that had not been disabled for years. The attacker successfully pivoted from administrative office systems to the city's water utility SCADA controls, where they disabled critical safety/operational settings. The incident highlights a catastrophic failure in identity lifecycle management and the lack of network segmentation between IT and OT (Operational Technology) environments.
## Incident Details
- **Discovery Date:** Not specified (Post-incident forensic investigation by Nicole Beckwith)
- **Incident Date:** Predates May 2026 reporting
- **Affected Organization:** Undisclosed US Municipality
- **Sector:** Government / Public Water Utility
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** Undisclosed
- **Vector:** Credential Stuffing / Password Reuse
- **Details:** The attacker utilized credentials for a former employee ("Greg from Auditing") harvested from a previous third-party data breach. The employee had used his `.gov` email and the same password for both personal services and his municipal work account.
### Lateral Movement
- **Details:** After gaining initial access as a Domain Admin, the attacker moved from corporate office systems (messing with conference room projectors) to the sensitive SCADA network controlling the water utility.
### Data Exfiltration/Impact
- **Details:** No data exfiltration was reported; however, the attacker manipulated critical infrastructure settings, switching off water utility controls and potentially endangering the public water supply.
### Detection & Response
- **How it was discovered:** Discovered following suspicious activity on endpoints (projectors) and unauthorized changes to water utility settings.
- **Response actions:** Forensic investigation was conducted by an external consultant (Nicole Beckwith) to identify the source of the breach.
## Attack Methodology
- **Initial Access:** Valid Accounts (Dormant/Former Employee).
- **Persistence:** Utilization of a long-standing, non-deprovisioned Domain Admin account.
- **Privilege Escalation:** None required; the compromised account already possessed Domain Admin and SCADA operator rights.
- **Defense Evasion:** Use of legitimate credentials (Living off the Land).
- **Credential Access:** Password reuse from external third-party data leaks.
- **Discovery:** Exploration of network resources (Projectors, SCADA interfaces).
- **Lateral Movement:** Movement from general municipal IT network to the OT/SCADA environment.
- **Impact:** Impair Defenses/Inhibit Response (Disabling water utility controls).
## Impact Assessment
- **Financial:** Costs associated with emergency forensic response and potential remediation of water systems.
- **Data Breach:** Compromise of administrative and utility credentials.
- **Operational:** High. Critical water utility controls were tampered with, risking service disruption.
- **Reputational:** Significant. Public safety was endangered due to basic security negligence.
## Indicators of Compromise
- **Network Indicators:** Connection logs from suspicious IPs to the city's VPN or remote access portals using "Greg's" account.
- **File Indicators:** Not specified in the article.
- **Behavioral Indicators:** A long-dormant account suddenly showing high levels of activity; administrative accounts accessing SCADA controls during non-business hours.
## Response Actions
- **Containment:** Forensic identification of the compromised account.
- **Eradication:** Disabling the dormant "Greg" account and potentially other unneeded accounts discovered during the audit.
- **Recovery:** Restoring water utility control settings to safe operational parameters.
## Lessons Learned
- **Offboarding Failure:** The primary failure was the lack of an offboarding process to disable accounts immediately upon employee departure.
- **Over-Provisioning:** An auditor was granted Domain Admin and SCADA operator rights, violating the Principle of Least Privilege (PoLP).
- **Identity Hygiene:** Employees using work emails for personal accounts and reusing passwords creates a massive external attack surface.
- **Lack of Segmentation:** The ability to move from office equipment (projectors) to water controls indicates poor IT/OT network segmentation.
## Recommendations
- **Identity Management:** Implement automated account deprovisioning triggered by HR termination events.
- **Access Reviews:** Conduct mandatory quarterly access reviews to identify and prune dormant accounts and excessive privileges.
- **Multi-Factor Authentication (MFA):** Mandate MFA for all remote access and administrative actions to prevent credential stuffing attacks.
- **Network Segmentation:** Physically or logically isolate SCADA/Utility networks from the general corporate municipal network.
- **Password Policy:** Implement and enforce policies prohibiting the use of work email addresses for personal services.