Pro-Russia Hackers Target Water Utility in Honeypot Sting
▼ Summary
– A Russia-aligned hacktivist group called TwoNet was tricked into attacking a honeypot disguised as a water treatment utility, publicly claiming the fake hack on Telegram.
– TwoNet used default credentials to access the honeypot’s human-machine interface and performed defacement, process disruption, manipulation, and evasion activities.
– This incident reflects a broader trend where hacktivist groups are shifting from DDoS attacks to targeting operational technology and industrial control systems.
– Researchers noted the hacktivist ecosystem is ephemeral, with groups frequently rebranding or forming new alliances while operators persist and evolve their techniques.
– Security recommendations include removing OT systems from direct internet exposure, enforcing strong authentication, and monitoring for unauthorized changes and unusual traffic.
A Russia-aligned hacktivist group recently fell into a carefully laid trap, targeting a decoy water treatment facility set up by cybersecurity specialists at Forescout. This operation revealed how such groups are shifting from basic website disruptions toward more dangerous attacks on industrial infrastructure. The group, known as TwoNet, publicly celebrated the supposed breach on Telegram, unaware they had been interacting with a controlled honeypot environment designed to study their methods.
TwoNet operatives successfully logged into the decoy system’s human-machine interface (HMI) using factory-default usernames and passwords. Once inside, they engaged in a series of disruptive actions, including defacing the login screen, deleting connected programmable logic controllers (PLCs), altering operational setpoints, and turning off logging and alarm functions to avoid detection. This incident marks the first known case where a threat actor has publicly claimed credit for an attack that occurred entirely within a research honeypot.
The TwoNet collective first appeared on the cyber scene in early 2025, initially specializing in distributed denial-of-service (DDoS) attacks. By September, the group had expanded its focus, launching a new Telegram channel to boast about its activities, including targeting operational technology (OT) and industrial control systems (ICS). Interestingly, a message from an affiliated group called CyberTroops later announced that TwoNet would cease operations on September 30, highlighting the transient and constantly rebranding nature of the hacktivist ecosystem.
Analysis of the honeypot intrusion shows it originated from an IP address linked to a German hosting provider, with no previous history of malicious use. The attacker, using a Firefox browser on a Linux system, first gained access with the common default credentials “admin/admin.” They then proceeded to probe the system’s database, created a new user account named ‘BARLATI,’ and carried out their activities over a 20-hour period. Crucially, the intruder focused solely on the web application layer of the HMI and made no attempt to escalate privileges or compromise the underlying host server.
Cybersecurity experts have issued several key recommendations for industrial operators to defend against such tactics. Organizations should immediately remove OT systems from direct internet access and implement robust network segmentation. It is also vital to enforce strong authentication on all administrative interfaces, eliminating any default or anonymous user accounts. Deploying deep packet inspection technology can help by generating alerts for suspicious activities like password guessing, exploitation attempts, or unauthorized configuration changes.
Furthermore, security teams should monitor for unusual traffic patterns originating from OT network segments and keep an eye on devices often exploited in broader attacks, such as internet-connected cameras and routers. This case serves as a powerful reminder that claims made by hacktivist groups often mix fact with fiction. However, monitoring their communications still provides valuable intelligence about their intentions, preferred tools, target selection, and newly formed alliances.
(Source: Info Security)
