Zombie Account of Former Employee Gave Hackers Control of City Water Utility
A threat actor exploited a dormant 'zombie' account belonging to a former city employee to gain domain admin and SCADA access, disabling water system controls.
A threat actor compromised a U.S. city's water utility by exploiting a dormant 'zombie' account belonging to a former employee, 'Greg from Auditing,' who had left years earlier. The account retained extensive privileges including domain admin rights and SCADA operator access, allowing the attacker to disable water system controls. The breach likely occurred because Greg reused a password from a third-party service that had been leaked, as reported by Nicole Beckwith, senior director for security engineering and operations at Cribl, who investigated the incident.
The attacker initially took a 'leisurely tour' of the city's online resources, messing with conference room projectors and other harmless endpoints. They then realized they could change settings with the water utility, switching many controls off and potentially endangering the water supply. Beckwith found that all the mischief was performed by Greg's account, which had not been deprovisioned after his departure.
Greg had used his work email address to sign up for various online accounts, some of which may have been exposed in previous data leaks. Beckwith speculates the hackers saw an email address with a .gov domain and decided to try their luck with the leaked password, likely the same one Greg used for work. This highlights the dangers of password reuse across personal and professional services.
The incident underscores the critical need for quarterly access reviews and prompt deprovisioning of accounts for former employees. 'The lesson, beyond the obvious 'please, for the love of all that is holy, audit your dormant accounts,' is that every forgotten user is an easy ticket to being on the 5 o'clock news,' Beckwith told The Register. She emphasized that many organizations assume someone else has terminated access when an employee leaves, but this simple control is often overlooked.
This breach is part of a broader pattern of attacks on critical infrastructure, where outdated or mismanaged accounts provide easy entry points. Water utilities, in particular, have been targeted by various threat actors, including state-sponsored groups and cybercriminals. The incident serves as a stark reminder that basic security hygiene, such as regular audits and strong password policies, is essential to protect essential services.
Organizations should implement automated deprovisioning processes and enforce multi-factor authentication to mitigate such risks. The city has since taken steps to improve its security posture, but the incident highlights the ongoing challenges in securing legacy systems and managing user access in complex environments.