Full Report
An investigation into a June 11 cyber attack claimed by an Iranian-linked hacker group found that hackers accessed one California Water Service customer’s online account using stolen credentials, but did not breach the utility’s internal systems or billing infrastructure, the company announced this week. Cal Water has continued to investigate claims made on June 11 by an Iranian-linked hacker group that it…
Analysis Summary
# Incident Report: Iranian-Linked Compromise of Cal Water Third-Party Platform Access
## Executive Summary
In June 2024, an Iranian-linked threat actor claimed to have breached California Water Service (Cal Water), California's largest investor-owned water utility. A subsequent investigation revealed that while the utility’s internal infrastructure and billing systems remained secure, the attackers successfully accessed a small number of user accounts on two third-party service provider platforms using stolen credentials. The incident resulted in unauthorized access to at least one specific customer online account but did not impact critical water operations or infrastructure.
## Incident Details
- **Discovery Date:** June 11, 2024 (following public claims by the threat actor)
- **Incident Date:** June 11, 2024
- **Affected Organization:** California Water Service (Cal Water)
- **Sector:** Critical Infrastructure (Water and Wastewater)
- **Geography:** California, USA (specifically mentioning regions such as Chico)
## Timeline of Events
### Initial Access
- **Date/Time:** June 11, 2024
- **Vector:** Valid Credentials (Stolen)
- **Details:** Attackers used previously compromised credentials to log into third-party service provider platforms utilized by Cal Water.
### Lateral Movement
- **Details:** No lateral movement into Cal Water’s internal systems or billing infrastructure was detected; the activity remained confined to the third-party platforms.
### Data Exfiltration/Impact
- **Details:** Unauthorized access to a "small number" of specific user accounts, including at least one customer’s online account.
### Detection & Response
- **Discovery:** The incident was identified after an Iranian-linked hacker group publicly claimed they had breached the utility.
- **Response actions:** Cal Water activated its cybersecurity response plan, engaged state and federal government partners, and hired third-party cybersecurity experts to conduct a forensic investigation.
## Attack Methodology
- **Initial Access:** Stolen Credentials
- **Persistence:** Not disclosed (likely limited to active session access)
- **Privilege Escalation:** Not reported
- **Defense Evasion:** Use of legitimate credentials to mimic authorized user behavior
- **Credential Access:** Likely obtained via previous data breaches or phishing (independent of Cal Water systems)
- **Discovery:** Targeted search within third-party platforms
- **Lateral Movement:** None (contained to external service providers)
- **Collection:** Accessing customer account profiles
- **Exfiltration:** Unauthorized viewing of account data
- **Impact:** Minimal (Unauthorized account access)
## Impact Assessment
- **Financial:** No reported loss of funds or billing infrastructure damage.
- **Data Breach:** Limited to a "small number" of accounts on third-party platforms (Identity/Account data).
- **Operational:** No disruption to water service or internal utility operations.
- **Reputational:** Moderate; necessitated public clarification to counter claims of a wide-scale infrastructure breach.
## Indicators of Compromise
- **Network indicators:** None provided in the public report.
- **File indicators:** None (web-based platform access).
- **Behavioral indicators:** Unusual login activity on third-party provider platforms from unrecognized IP addresses or geographical locations.
## Response Actions
- **Containment:** Secured impacted third-party platform accounts and validated the integrity of internal systems.
- **Eradication:** Investigation conducted "around the clock" to confirm no deep-network persistence.
- **Recovery:** Continued monitoring of third-party integrations and public communication to stakeholders.
## Lessons Learned
- **Key takeaways:** Threat actors often exaggerate the scale of a breach for psychological purposes (claiming a full utility breach when only a third-party portal was accessed).
- **What could have been done better:** Earlier identification of credential stuffing or stolen credential usage on auxiliary platforms might have pre-empted the attacker's public claims.
## Recommendations
- **Multi-Factor Authentication (MFA):** Ensure MFA is strictly enforced on all third-party service provider platforms and customer portals.
- **Third-Party Risk Management:** Audit the security controls of external vendors to ensure they meet internal security standards.
- **Credential Monitoring:** Implement monitoring for leaked employee or customer credentials on the dark web to proactively reset compromised accounts.