The biggest threat to critical infrastructure isn’t sophisticated malware it’s the password you forgot to rotate.
This week I read Hudson Rock’s findings and had the same reaction I’ve had in too many incident war rooms: we keep preparing for the complex attack, and we keep getting hurt by the basic one.
A single actor operating as Zestix / Sentap accessed roughly 50 global enterprises across aviation, robotics, utilities, government infrastructure, telecoms, and defense. The data now sits on dark web forums.
No zero-days. No novel exploits.
Just valid usernames and passwords harvested by commodity infostealers and used against organizations that failed to enforce MFA, rotate credentials, or invalidate sessions.
Some of those credentials were years old.
They still worked.
This is not “a breach.” It’s a governance gap.
When a credential harvested in 2021 can still unlock a system in 2026, the failure isn’t your endpoint stack.
It’s governance.
Because someone, somewhere, made three silent decisions and never revisited them:
- Who has access (and whether that access is still justified)
- Where critical data lives (and which third parties quietly hold it)
- How fast trust is revoked (when people leave, devices get infected, or vendors change)
Attackers have adapted to the way we manage identity and suppliers:
- We assume “old credentials” are low risk.
- We treat vendor access like a procurement checkbox.
- We mistake compliance artifacts for operational resilience.
They don’t need to be faster than us.
They just need us to forget and stay forgotten.
Who got hit and why it matters
These were not obscure startups. These were enterprises holding critical infrastructure artifacts the kind of material that turns cyber risk into physical risk.
- Pickett and Associates (US) engineering support to major utilities. 139 GB reportedly compromised, including LiDAR and mapping tied to transmission corridors and substations.
- CRRC MA (US) rail manufacturer supporting metro operations. Exposed SCADA access references, coordinates, and technical data.
- Intecro Robotics (Turkey) defense-linked exposure including sensitive design artifacts.
- Iberia Airlines (Spain) aviation maintenance and airworthiness records reportedly exfiltrated.
- Multiple ISPs network configurations that function as an adversary’s blueprint.
Here’s the part leaders miss:
The target isn’t always the utility, airline, or rail operator.
The target is the ecosystem that holds the same crown jewels with weaker controls.
The playbook is painfully simple
I’ve seen this pattern repeat across regions and sectors because it exploits the same human and operational realities.
- A user gets hit with commodity malware (RedLine, Lumma, Vidar class).
- Credentials are pulled from browsers, cached sessions, password stores.
- Logs are aggregated and sold.
- Months sometimes years later, an actor uses still-valid access.
- Data leaves through the front door.
The tragedy isn’t sophistication.
It’s banality.
Why your perimeter no longer matters
Your “crown jewels” rarely live only inside your perimeter.
They live in:
- contractor file shares
- vendor portals
- engineering collaboration platforms
- managed service environments
- third-party cloud tenants
So when a supplier is compromised, your SOC can be perfect and still irrelevant.
Because the data exits through a door you don’t control.
That’s not “third-party risk” in theory.
That’s operational dependence in practice.
The exposure is wider than this one actor
Hudson Rock’s broader dataset suggests credential exposure across thousands of organizations including major brands and government-linked entities.
That matters because Zestix behaves like an initial access broker: access is harvested, packaged, and sold to whoever wants to take the next step.
Which means today’s “minor credential leak” becomes tomorrow’s ransomware, espionage, or disruption campaign.
What I want boards and CISOs to demand now
Not a new framework. Not a new dashboard.
A few non-negotiables executed brutally well:
1) MFA everywhere, no exceptions. If a vendor can’t support MFA, they can’t hold your sensitive data.
2) Credential age is a risk metric. Know how old service accounts and contractor credentials are. Rotate aggressively.
3) Inventory where critical data actually lives. Engineering files, SCADA documentation, infrastructure maps which vendors hold what?
4) Monitor infostealer exposure. Assume your organization is already in stealer logs. Find out before adversaries do.
5) Invalidate sessions like you mean it. A credential harvested three years ago should not work today ever.
The takeaway I keep repeating
In 2026, attackers aren’t breaking down doors.
They’re walking through the ones we forgot to lock.
If your critical infrastructure data sits in a vendor’s cloud portal protected only by a password, you are one infostealer infection away from a headline.
Question for leaders: what third-party access points in your ecosystem would fail this test today?