A proactive threat hunt conducted by CISA (Cybersecurity and Infrastructure Security Agency) and the USCG (U.S. Coast Guard) at an unidentified U.S. critical infrastructure organization found no active threat actor presence — but uncovered a range of cyber hygiene deficiencies serious enough to warrant a joint public advisory. Published July 31, 2025, joint advisory AA25-212A documents findings including flat network architecture where IT (information technology — corporate systems, workstations, email) and OT (operational technology — industrial control systems managing physical processes) share the same network segment, plain-text credential storage, shared local administrator accounts across endpoints, and disabled SSL on production devices. No breach occurred — but every finding represents a condition that ransomware groups and nation-state actors specifically look for when selecting targets and planning lateral movement into industrial systems.
Key Cyber Hygiene Findings: Technical Details
CISA and USCG analysts conducted the hunt using host-level forensics, network traffic analysis, ICS (Industrial Control System) analysis, and commercial cloud and open-source intelligence tools. They searched specifically for evidence of known threat actor TTPs (Tactics, Techniques, and Procedures) and associated artifacts. While no current compromise was found, six categories of systemic risk were documented:
1. Insufficient log collection and management. The organization lacked centralized, comprehensive logging across host and network systems. Without complete logs, defenders cannot reconstruct the timeline of an intrusion after the fact, and real-time detection is impossible for activity that never reaches an alerting tool. Critical log sources that were missing or inconsistently collected include Windows Security Event Logs, network flow data (NetFlow/IPFIX), and authentication events from remote access systems. CISA's guidance on logging requirements for critical infrastructure is documented in its Logging Made Easy program.
2. Plain-text and insecurely stored credentials. Credentials — passwords, API keys, and service account tokens — were found stored in plain text in configuration files, scripts, and file shares accessible without strict access controls. An attacker with read access to a single directory could harvest credentials providing access across the environment. This condition is typically introduced when developers or administrators hard-code credentials for convenience and the practice is never reviewed or revoked.
3. Shared local administrative credentials across endpoints. Multiple endpoints were configured with the same local administrator username and password. This enables lateral movement via credential reuse: an attacker who compromises one machine can immediately authenticate to every other machine sharing those credentials. Microsoft's LAPS (Local Administrator Password Solution — a tool that automatically generates and manages unique local administrator passwords per endpoint) is designed specifically to eliminate this risk.
4. Unrestricted remote administrative access. Remote desktop (RDP), SSH, WMI (Windows Management Instrumentation), and PowerShell remoting were accessible across the network without segmentation or host-based access controls. Any machine that achieved foothold anywhere in the network had potential administrative reach to any other machine. This is the condition that enables ransomware groups to deploy encryptors across thousands of endpoints within hours of initial access.
5. Flat IT/OT network architecture. IT and OT systems shared the same network segment with insufficient boundary controls. OT systems — including PLCs (Programmable Logic Controllers — the computers embedded in industrial equipment that control physical processes like water pressure, valve positions, and conveyor speeds), HMIs (Human-Machine Interfaces — the operator consoles for industrial systems), and SCADA systems (Supervisory Control and Data Acquisition — software that monitors and controls industrial processes from a central dashboard) — were not isolated from corporate IT. A flat network allows an IT compromise (phishing, credential theft, vulnerable workstation) to become an OT compromise directly, without needing to cross any security boundary.
6. Device and server misconfigurations. Specific misconfigurations found included disabled SSL/TLS features (allowing unencrypted administrative traffic), weak password policies (short minimum lengths, no complexity requirements, no enforced rotation), and configuration drift across IT and OT devices. The advisory notes these issues were found across "a wide variety of disciplines" — indicating they were systemic rather than isolated to specific systems.
Exploitation Status and Threat Landscape
While CISA found no active threat actor presence during the hunt, the documented conditions directly mirror the initial access and lateral movement paths exploited in documented critical infrastructure incidents. Ransomware groups targeting critical infrastructure — including Cl0p, LockBit, and BlackCat/ALPHV — have exploited flat IT/OT networks and shared credential conditions to pivot from initial email compromise to operational disruption. Nation-state actors including Volt Typhoon (pre-positioning for disruption of U.S. critical infrastructure) and CyberAv3ngers (Iranian-affiliated, targeting Rockwell PLCs) rely on exactly these gaps.
The advisory is explicit about its purpose: CISA is publishing these findings not to describe a specific incident but to "highlight identified cybersecurity issues, thereby informing security defenders in other organizations of potential similar issues." The implication is that these conditions are not unique to the organization that was hunted — they are endemic to the sector.
Who Is Affected
The advisory targets all U.S. critical infrastructure sectors, with particular relevance to organizations operating ICS/OT environments. Sectors with the highest exposure to these specific findings include:
- Water and wastewater utilities — historically resource-constrained, late to adopt IT security practices, with OT systems often managed by the same staff handling corporate IT
- Energy and utilities — power generation and distribution with legacy OT systems not designed for internet-connected environments
- Manufacturing — especially facilities where IT/OT convergence was driven by efficiency rather than security planning
- Transportation and port operations — large, distributed networks with diverse IT and OT components
Any organization that has not explicitly reviewed its network segmentation, credential management practices, and logging posture against the advisory's findings should treat this document as a diagnostic checklist.
What You Should Do Right Now
- Deploy Microsoft LAPS to eliminate shared local credentials. Microsoft LAPS (Local Administrator Password Solution) automatically generates a unique local administrator password for each enrolled endpoint and stores it securely in Active Directory. This eliminates lateral movement via credential reuse across the entire Windows estate with a single deployment.
- Audit all credential storage for plain-text secrets. Search configuration files, scripts, and code repositories for hard-coded credentials:
“bash # Linux: scan common config paths grep -rn "password\|passwd\|secret\|api_key" /etc/ /opt/ --include=".conf" --include=".ini" --include="*.sh" “ Rotate any credentials found stored insecurely and implement a secrets management solution (HashiCorp Vault, AWS Secrets Manager, or equivalent).
- Implement centralized SIEM logging. At minimum, collect Windows Security Event Logs (prioritize Event IDs 4624/4625 for logon events, 4648 for explicit credential use, 4698/4702 for scheduled task creation, 7045 for new service installation), network flow data, and authentication events. Ship logs to an out-of-band storage location that an attacker cannot reach from the production network.
- Segment IT from OT at the network layer using a dedicated firewall. Place all OT devices (PLCs, HMIs, SCADA servers, historians) behind a dedicated industrial firewall or data diode with an explicit allow-list of permitted communication. Deny all traffic not explicitly permitted. ICS-specific protocols (Modbus, DNP3, EtherNet/IP, Profinet) should never traverse IT network segments without deep packet inspection.
- Implement jump servers for all remote administrative access. All RDP, SSH, and management traffic should pass through a centralized bastion host that enforces MFA, restricts source IPs, and logs every session. No direct administrative connections should be permitted from workstations to servers, OT systems, or network devices.
- Run CIS Benchmark assessments to address misconfigurations. The CIS Benchmarks provide specific, auditable configuration targets for Windows, Linux, network devices, and ICS/SCADA platforms. Automated compliance scanning tools (CIS-CAT, Tenable, Qualys) can identify configuration drift across large estates and prioritize the highest-risk gaps.
Background: Understanding the Risk
CISA's proactive threat hunt program — in which CISA actively searches an organization's network for threat actor presence at the organization's invitation, before a known incident occurs — is a direct response to the pattern of critical infrastructure compromises over the past decade. The model is analogous to a structural engineer inspecting a building before it fails: the goal is to find conditions that enable catastrophic outcomes before they are triggered.
IT/OT convergence — the integration of industrial control systems with corporate IT networks for operational efficiency, remote monitoring, and data analytics — has dramatically expanded the attack surface of critical infrastructure over the past fifteen years. A water treatment plant's SCADA system, which in 2005 ran on an isolated, air-gapped (physically disconnected) network accessible only on-site, may in 2025 be reachable via corporate VPN from any authorized workstation. The security controls appropriate for that transition — network segmentation, MFA, privileged access management — were often not implemented alongside the connectivity.
The findings from AA25-212A are consistent with what specialized ICS security assessors find across the sector. The advisory's value is in providing CISA's authoritative confirmation that these gaps are present, naming them specifically, and making the case for prioritization in organizations that may have treated them as non-urgent.
Conclusion
A clean threat hunt finding — no attacker present — is the best possible outcome of a CISA engagement. But the six hygiene gaps documented in AA25-212A represent exactly the preconditions that convert a commodity phishing attack into an operational disruption event. Shared administrator credentials, flat IT/OT networks, and absent centralized logging are not aspirational improvements; they are baseline security controls that should be in place before any threat actor decides to look. Organizations that recognize any of these findings in their own environment should treat this advisory as a prioritized work order, starting with LAPS deployment and IT/OT segmentation.
For any query contact us at contact@cipherssecurity.com
