INDIGO RUST Targeting Water Utilities Through Managed Service Providers

A previously unreported threat group dubbed INDIGO RUST has compromised at least a dozen U.S. water utilities by breaching the managed service providers that maintain their industrial control systems, according to two incident responders at a Fortune 500 firm. The intrusions, detected between Dec. 18 and Dec. 29, 2025, exploited stolen MSP credentials rather than a software vulnerability, the responders said. CISA, the FBI, and the Environmental Protection Agency are coordinating a response and plan to issue a public alert on Jan. 10, according to a federal cybersecurity contractor familiar with the investigation.

The affected utilities serve populations in Texas, Arizona, and California, the incident responders said. The attackers focused on remote management tools used by MSPs to monitor water treatment plant networks, including systems that control chemical dosing and pump stations. The responders said INDIGO RUST collected SCADA network diagrams, vendor maintenance credentials, and internal network maps, but they have not observed attempts to manipulate physical processes such as chlorine levels or flow rates. The group appears intent on maintaining long-term access to operational technology environments, one responder said.

A CISO briefed on the activity at a regional water authority meeting on Jan. 6 said the intrusions were first spotted when an MSP in Phoenix reported unusual login times from an account associated with a Central Arizona water district. The CISO said the same MSP credentials were later used to access systems at utilities in South Texas and Southern California, suggesting the actor targeted the provider's customer base rather than individual utilities at random. The CISO requested anonymity because the investigation remains active.

Federal Agencies Preparing Joint Alert With Defensive Guidance

CISA plans to publish an alert on Jan. 10 recommending that water utilities and other critical infrastructure operators audit all MSP remote access accounts, disable dormant vendor credentials, and enforce phishing-resistant multifactor authentication on every remote management pathway, the federal cybersecurity contractor said. The alert will also urge utilities to review logs for remote desktop and remote monitoring tools between Dec. 15, 2025, and Jan. 5, 2026, and to remove any unauthorized administrative accounts created during that window. The contractor said the guidance will not name all affected utilities but will note that the activity has been observed at public water systems serving more than 2 million cumulative customers.

The EPA's Water Security Division is separately contacting state drinking water administrators to coordinate onsite security reviews at utilities that use the affected MSP, according to the contractor. The FBI has opened a preliminary investigation and is working with international partners to trace IP ranges used in the activity, which are registered to providers in Eastern Europe and routed through commercial VPN services, the contractor said. The contractor requested anonymity because they were not authorized to discuss the matter publicly.

The two incident responders said they have assigned the name INDIGO RUST to the cluster of activity because the infrastructure and tradecraft do not match any publicly tracked advanced persistent threat group. The responders said the actor relies on legitimate remote access tools and stolen credentials, tactics that make detection difficult without robust logging and identity governance. They emphasized that no evidence suggests the group has used a zero-day exploit or unpatched vulnerability to gain entry, which means defensive measures focused on identity and access management can materially reduce risk.

Defensive Ask and What to Watch Over the Next 72 Hours

Water utilities, electric cooperatives, and other operators of critical infrastructure should treat this as a prompt to review their MSP relationships rather than wait for confirmation from federal agencies, the CISO said. The CISO recommended four immediate steps: inventory every remote access account held by third-party vendors, enforce time-bound session limits, require hardware security keys or equivalent phishing-resistant MFA for all remote administrative access, and segment operational technology networks so that a compromised MSP account cannot reach safety systems.

The incident responders said organizations should also preserve logs from December and early January for at least 90 days and share indicators of compromise with CISA through the agency's Automated Indicator Sharing program or regional cybersecurity advisors. They noted that the Jan. 10 CISA alert will include a generic description of the actor's observed behavior and defensive mitigations, but will not disclose technical details that could aid adversaries. The responders said they expect additional private briefings for sector information sharing organizations on Jan. 12 and Jan. 13.

The key question over the next 72 hours is whether INDIGO RUST shifts from reconnaissance to disruptive action. The responders said the group has demonstrated patience and a preference for stealth, which suggests the current campaign is aimed at positioning for future operations rather than immediate sabotage. Utilities that act before the public alert may be able to sever the actor's access. The Alamo Post will update readers as CISA, the FBI, and the EPA release their joint guidance and as more affected organizations are notified.