Hacktivists Breach Decoy Infrastructure in Cyber Attack
▼ Summary
– Pro-Russian hacktivist group TwoNet shifted from DDoS attacks to targeting critical infrastructure, including a water treatment facility that was actually a decoy system.
– In the honeypot attack, TwoNet gained initial access using default credentials and escalated to disruptive actions within about 26 hours, creating a user account and exploiting vulnerabilities.
– The group disabled real-time updates and altered PLC setpoints in the HMI, focusing on the web application layer without attempting privilege escalation or host exploitation.
– TwoNet’s activities expanded to include publishing personal data of officials, offering cybercrime services, and targeting HMI/SCADA interfaces in “enemy countries” via their Telegram channel.
– Forescout recommends securing critical infrastructure with strong authentication, network segmentation, IP-based access controls, and protocol-aware detection to mitigate such threats.
A pro-Russian hacktivist group known as TwoNet has significantly escalated its cyber operations, transitioning from basic distributed denial-of-service (DDoS) campaigns to targeting essential infrastructure systems. In a recent incident, the group claimed responsibility for an attack on a water treatment facility, which cybersecurity experts later identified as a sophisticated honeypot, a deliberately exposed decoy system designed to monitor and analyze malicious behavior. This breach, which took place in September, demonstrated the group’s rapid operational tempo, moving from initial system access to disruptive actions in just over a day.
Researchers from Forescout, a firm specializing in enterprise and industrial cybersecurity, observed TwoNet’s activities within the simulated water treatment environment. The attackers first gained entry at 8:22 AM by testing default login credentials. Throughout that initial day, they worked to identify and access system databases, succeeding on their second try after entering the correct SQL queries. Following this, the intruders established a new user account named “Barlati” and publicly announced their presence by exploiting a known cross-site scripting flaw, identified as CVE-2021-26829. They used this vulnerability to trigger a pop-up alert on the human-machine interface (HMI) with the message, “Hacked by Barlati.”
The group’s actions went beyond mere intrusion. Unaware they had entered a controlled research environment, the hackers took steps to disrupt normal operations. They disabled real-time data updates by removing connected programmable logic controllers (PLCs) from the system’s data sources and altered PLC setpoints via the HMI. According to Forescout, the attackers concentrated solely on the web application layer of the HMI and did not attempt to escalate privileges or compromise the underlying host. The final login from the intruder was recorded the next day at 11:19 AM.
TwoNet originally emerged as one of several pro-Russian collectives conducting DDoS attacks against entities supporting Ukraine. However, their activities have since broadened. On their Telegram channel, the group expressed intent to target HMI and SCADA interfaces belonging to critical infrastructure in what they term “enemy countries.” They have also leaked personal information belonging to intelligence and police personnel and advertised various cybercrime services, including ransomware-as-a-service, hacker-for-hire arrangements, and initial access to SCADA systems in Poland. This evolution aligns with a wider trend among hacktivist groups shifting from conventional DDoS and website defacement toward operational technology and industrial control system operations.
To defend against such threats, Forescout advises critical infrastructure operators to adopt robust authentication measures and avoid exposing industrial systems directly to the public internet. Implementing proper network segmentation, along with IP-based access controls for administrative interfaces, can help contain intruders even if they breach corporate networks. Additionally, deploying protocol-aware monitoring systems that detect exploitation attempts and unauthorized HMI modifications can provide early warning and mitigate potential damage.
(Source: Bleeping Computer)
