The Latest Supply Chain Scan Should Force Every CISO Back to Basic Hygiene

What is the INDIGO RUST campaign?

A cluster of intrusion activity I am tracking as INDIGO RUST has been hitting software vendors that serve U.S. electric utilities and water treatment facilities for at least 11 weeks. The actor is abusing trusted update channels and third-party integration plug-ins to move laterally from IT environments into operational technology networks. I am withholding the affected vendor and the affected build. The patch is not out yet.

The earliest evidence I can place with confidence dates to late March 2026, when the actor began probing externally facing management portals of a midsize software firm based in the American Midwest. By mid-May, the same infrastructure was interacting with at least four utility customer environments. The access vector appears to be a flaw in a widely deployed configuration tool rather than a supply chain compromise of the source code itself. That distinction matters. It means defenders can take action now without waiting for a clean reinstall of every affected system.

INDIGO RUST's operational tempo is deliberate but not subtle. The group has reused the same intermediary infrastructure across multiple victims, which allowed passive collection by network defenders to map the breadth of the campaign. I have observed traffic routing through a small set of virtual private servers hosted in jurisdictions with weak mutual legal assistance treaties. The persistence mechanism relies on scheduled tasks and service entries that would look routine to a junior analyst. That is the point. The actor wants to hide among legitimate administrative noise.

What makes this campaign worth covering is not the sophistication of the tooling. It is the concentration of targeting. The victims are not banks, hospitals, or technology firms. They are operators of generators, substations, and water pumps. The observed targeting aligns with a longer pattern of reconnaissance against U.S. critical infrastructure that CISA documented in its 2025 annual threat report. That report found that 40 percent of surveyed utilities had detected adversary activity in their networks at some point during the preceding 18 months. INDIGO RUST fits that trend.

I am not going to name the affected vendor, list the vulnerable build, or provide the technical indicators that would let an amateur replicate the intrusion. Those details would help attackers more than defenders until the patch is public. What I will do is describe the defensive posture that should already be in place.

What should network defenders do today?

Defenders should immediately isolate configuration management and remote monitoring systems from operational networks, enforce multi-factor authentication on every privileged account, and review logs for scheduled task creation and service installation events over the past 90 days. These three actions will break or expose the core techniques used in the INDIGO RUST campaign.

Segmentation is the first and most important step. The affected configuration tool has legitimate reasons to touch both enterprise IT and operational technology environments, but that convenience has become a liability. Every utility I have spoken with in the past month admits that the boundary between those two environments is fuzzier than the architecture diagrams suggest. A flat network is a gift to an intruder. Split the management plane from the control plane. Put a unidirectional gateway or at least a tightly controlled jump host between them. The cost is modest compared to the cost of an outage.

Multi-factor authentication is not a new recommendation, but it remains the control most often missing in these incidents. The INDIGO RUST actor has exploited accounts that either lacked MFA entirely or used SMS-based codes that could be intercepted or redirected. Hardware tokens or phishing-resistant authenticators should be mandatory for any account that can touch industrial control systems. Password rotation alone will not stop this actor. Neither will a generic endpoint detection agent if it is not tuned to alert on new scheduled tasks or service binaries in system directories.

Logging discipline is where many organizations fall down. Windows event logs, proxy logs, and VPN session records need to be retained for at least 90 days and preferably longer. In this campaign, the actor spent several weeks moving between systems before attempting any action that would affect physical processes. A defender who can look back 90 days has a chance of spotting the initial foothold. A defender who retains only 30 days of logs is flying blind. If your security operations center is drowning in alerts, start by prioritizing task scheduler and service control manager events on hosts that bridge IT and OT.

Finally, patch management for industrial software must be treated as a lifecycle, not an annual project. The vendor in question is working on a fix. When it ships, the clock starts. Utilities that have not tested their patching workflow in the past six months will discover that their vendor support contracts, change-control boards, and maintenance windows are not aligned with the speed that modern threats demand.

Why responsible withholding matters

Responsible disclosure in industrial control environments requires holding back specific technical details until a patch is available, because publishing those details early would let less capable actors exploit the same gap while defenders have no fix. The public interest is served by describing the campaign and the defensive response, not by distributing a roadmap.

Some readers will be frustrated that I am not naming the vendor. I understand the impulse. Procurement offices want to know whether their supplier is involved. Risk managers want to run a quick query. But naming the vendor today, before the patch is released, would trigger a predictable chain of events. Every script kiddie with a scanner would start hammering the known product. Incident response firms would be flooded with false positives from customers running unrelated builds. And the original actor would simply rotate infrastructure, making the broader campaign harder to track.

The better bargain is this. I describe the behavior, the sector, the timeframe, and the defensive measures. The vendor gets a bounded window to ship a fix. When the patch is public, I will publish the technical indicators and the affected versions so that network defenders can hunt with precision. That sequence protects critical infrastructure better than a premature data dump.

The longer lesson for critical infrastructure

INDIGO RUST is not an anomaly. It is the latest reminder that adversaries have moved past targeting the largest utilities and are now probing the software supply chain that serves mid-tier operators. Those operators often have fewer security staff, older equipment, and thinner vendor support. They are the soft target in a hard sector.

Congress has spent years debating mandatory cyber standards for critical infrastructure, but progress has been uneven. The 2025 regulatory framework gave the Environmental Protection Agency more authority over water system cybersecurity, yet implementation remains patchy. The North American Electric Reliability Corporation continues to update its standards, but compliance deadlines are stretched across multiple years. Attackers do not wait for rulemaking.

The answer is not another federal mandate issued from Washington. It is a discipline adopted in every control room and security office. Know your assets. Segment your networks. Require strong authentication. Keep logs. Test your patches. These are boring measures. They are also the measures that stop campaigns like INDIGO RUST before they reach the valves and breakers that keep the lights on and the water clean.