Cyber Incident Victim: Sage Water Resources
Date:
Mar 2026
Location:
United States of America
Summary
Sage Water Resources detected unauthorized activity on its programmable logic control system at a salt water disposal facility, which forensic analysis linked to an advanced nation‑state threat actor conducting a broader campaign against U.S. energy and water infrastructure. Detection and response prevented physical or environmental damage, allowing the logic to be restored and the network hardened with a virtual private network. The company transitioned from a legacy configuration to a PLC/VPN setup, resumed operations, and continues to pursue growth emphasizing safety, environmental stewardship, data security, regulatory compliance, and tribal advocacy.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 15, 2026, Sage Water Resources detected unauthorized activity on the programmable logic controller at its salt water disposal facility in Duchesne, Utah. An early morning truck driver noticed irregularities and alerted the operations team, which initiated an immediate investigation. Forensic analysis conducted with federal law enforcement and cybersecurity experts determined that the activity constituted malicious logic manipulation carried out by an advanced nation‑state threat actor. The incident was consistent with a broader campaign targeting critical infrastructure operators in the United States energy and water sectors.
The unauthorized logic changes were identified and mitigated before they could produce physical or environmental damage, allowing the PLC operational logic to be restored. Following the restoration, Sage Water Resources implemented an extensive virtual private network to protect the PLC environment. As part of the recovery, the company transitioned its network configuration from the legacy setup referred to as 'Chevy' to a more advanced PLC/VPN configuration described as 'Cadillac'. The response involved coordination with federal agencies, the automation firm Sasquatch Automation, and other responding agencies that supported the forensic investigation and hardening efforts.
Sage Water Resources confirmed that its systems are fully operational following the incident. The company stated that it is actively pursuing new growth opportunities in the Uinta Basin.