Back to all lessons
Awareness Lessons
last week

Cal Water Breach Traced to Third-Party Platform Accounts, Not OT Systems

The Handala group's claims of disrupting water supply infrastructure were ultimately traced back to unauthorized access of user accounts on two third-party platforms, not Cal Water's operational technology systems. This highlights a critical risk vector: third-party tools and platforms can serve as entry points that attackers attempt to leverage for reputational damage or as staging grounds for deeper intrusion. While the outcome here was contained, the incident underscores how threat actors can exploit weak access controls on external platforms to create the appearance of a more severe attack. Critical infrastructure operators must treat every third-party platform with the same security rigor as internal systems, since a compromised vendor account can still expose sensitive operational data or serve as a pivot point.

Tactical Insight

Immediate actions

  • Audit and revoke unnecessary user accounts on all third-party platforms, enforcing least-privilege access.
  • Enable multi-factor authentication (MFA) on every external SaaS tool, GPS service, or customer-facing platform connected to the organization.

Supply chain & vendor controls

  • Maintain a comprehensive inventory of all third-party platforms and assess their security posture through vendor risk assessments.
  • Contractually require third-party vendors to notify the organization immediately upon detecting any unauthorized account access.
  • Segment third-party platform credentials so that a compromise of one service cannot cascade to internal or OT environments.

Detection & response measures

  • Implement centralized logging and alerting for all third-party platform login events, anomalous access patterns, and privilege escalations.
  • Establish a rapid-response playbook specifically for third-party account compromise scenarios to accelerate investigation timelines.
  • Conduct regular tabletop exercises simulating threat actor claims involving OT disruption to stress-test incident response readiness.