From Inside Cybersecurity:

Bryson Bort, CEO of Scythe and co-founder of “ICS Village” at Def Con, noted in a statement, “TeamViewer is a common remote desktop protocol (RDP) solution in ICS and the water attack was most likely simple access with stolen credentials. Using the software means everything is visible to the user (hence, the operator saw the mouse move and settings changed). Who and why is still the question.”

Bort offered a demonstration of such an attack during an Atlantic Council event several years ago.

Featured Publications