How a boring engineering firm became the backdoor to critical infrastructure
Another day, another breach. This time it is Pickett & Associates, a US utilities engineering firm. You might think, “So what? Who cares about LIDAR data?” Well, the Russian forums buying it certainly do. This is not just about stolen blueprints; it is a textbook supply chain upleveling attack. While you were busy fortifying the front door of the power plant, bad actors walked in through the architect’s window. Initial access brokers like ‘Zestix’ snarfed credentials from systems lacking multi-factor authentication, turning a boring engineering firm into a springboard for critical infrastructure disruption. If your third-party access relies on shared passwords, you are not just vulnerable; you are already compromised.
The Blueprint to Disaster
Let’s get into the weeds of the Pickett & Associates breach, because the mechanics — detailed in a report by Hudson Rock — are frankly embarrassing. We aren’t talking about a sophisticated zero-day exploit that cost millions to develop. An initial access broker going by the handle ‘Zestix’ simply utilized commodity infostealer malware to scrape credentials. They walked right into unsecured instances of ShareFile, OwnCloud, and Nextcloud. Why was this effective? Because there was no multi-factor authentication. These systems were left completely naked on the internet. It is the digital equivalent of leaving your keys in the front door lock because taking them out of your pocket feels like too much work. You essentially laid out a welcome mat for the bad actors to stroll in and take what they wanted.
Now, look at the loot. The dumps contained GIS layouts, LIDAR data, and physical line locations. To a commercial spy or a credit card thief, this stuff is a cure for insomnia. It’s boring. But to a military strategist or a saboteur? It is a goldmine. This is the precise targeting data required to cripple a region’s power grid. As we discussed in our session on Nation State Attacks on Critical Infrastructure, these actors are actively moving from mere espionage to pre-positioning for physical disruption. They don’t need to scan your network to find the critical nodes; they are reading your own engineering schematics to find the weak points. If you think ‘nobody cares about my boring maps,’ you are dangerously naive. Security by obscurity is officially dead when your blueprints are currently on sale in a Russian forum.
The Supply Chain Springboard
According to the Hudson Rock report, the mechanics of this breach were depressingly simple. An initial access broker known as ‘Zestix’ didn’t need zero-day exploits or elite hacking tools. They simply utilized commodity infostealer malware to scrape credentials from unsecured instances of ShareFile, OwnCloud, and Nextcloud.
Crucially, this was only possible because these systems lacked multi-factor authentication. It is the digital equivalent of installing a steel vault door but leaving the key under the welcome mat. When engineering firms and their clients use shared passwords to collaborate on large files, they aren’t collaborating; they are co-conspiring to fail.
This creates the perfect conditions for an upleveling attack. Why would a bad actor bang their head against the heavily fortified firewalls of Tampa Electric or Duke Energy? It is infinitely easier to pivot through the engineering firm they hired. As highlighted in NIST Special Publication 800-161, supply chain risk management is critical because vendors are effectively trusted insiders. By compromising Pickett, the attackers bypassed the perimeter defences of the critical infrastructure providers entirely. As we’ve discussed regarding Porous Perimeters, your security is only as strong as the weakest link in your supply chain.
Large organisations often ignore this, treating vendor security as a checkbox exercise until it’s too late. The stolen data — GIS layouts, LIDAR scans, and line locations — might look dull to a commercial spy, but it is a goldmine for military strategists. This is the blueprint for kinetic sabotage. We warned about this in our analysis of Nation State Attacks: industrial interfaces are fragile targets. Security by obscurity is officially dead when your blueprints are on sale in a Russian forum.
Identity is the Only Fortress
The attackers didn’t need to smash through Duke Energy’s front gate; they used the engineering firm as a ladder to hop the fence. This is a classic ‘upleveling’ attack, where bad actors compromise a smaller, softer target to pivot into a hardened network. If you are still relying on shared passwords or legacy VPNs to manage third-party access, you are rolling out a red carpet for them. These technologies are broken, unsafe, and a dumpster fire of security debt.
Large organisations often ignore vendor security posture until the breach headlines hit, treating engineering firms like trusted insiders without the oversight. NIST Special Publication 800-161 warns against this, emphasising that supply chain risks are your risks. The solution isn’t a better firewall; it is porous perimeters require a total shift to Zero Trust.
You must mandate Single Sign-On and robust Multi-Factor Authentication. Never issue new passwords to third parties. They should bring their own identity — be it Microsoft or Google — which you then authorise. This is where Agilicus AnyX steps in. It acts as a bouncer, an Identity-Aware Proxy that verifies who is knocking before they ever see the application, whether it’s ShareFile or an internal GIS tool.
As I noted in Hard Industrial Cybersecurity, complex policies just lead to sticky notes on monitors. Convenience and security must coexist. By using AnyX, you eliminate the friction of VPNs while enforcing precise authorisation. This segmentation is the only way to limit the blast radius when a vendor inevitably gets pwned, ensuring that a compromised blueprint designer doesn’t become an admin on your power grid.
Conclusions
The Pickett breach proves that ‘obscurity’ is not a security strategy. Your physical layout data is now public domain for anyone with a few crypto coins. This incident highlights a fatal flaw in critical infrastructure defence: the reliance on third-party vendors with weak security hygiene. It is time to stop pretending that firewalls and shared passwords work. You need to implement Single Sign-On and robust multi-factor authentication for everyone, especially external partners. Adopt a Zero Trust architecture like Agilicus AnyX, or accept that your network is as secure as a screen door on a submarine. The choice is yours, but remember: the bad actors are not taking holidays.