Article illustration 1

In a stark demonstration of evolving cyber threats, pro-Russian hacktivist group TwoNet recently targeted a water treatment facility—only to discover it was an elaborate decoy. Cybersecurity firm Forescout designed this honeypot to monitor adversaries, and the September breach revealed how quickly hacktivists can pivot from basic attacks to disruptive actions against critical infrastructure. Within 26 hours of initial access, TwoNet attempted to sabotage operations by disabling alarms and altering industrial control parameters, unaware they were under scrutiny.

The Anatomy of a Honeypot Compromise

Forescout researchers observed TwoNet gaining entry at 8:22 AM using default credentials, a common but effective tactic against poorly secured systems. The group then spent hours enumerating databases, eventually succeeding with tailored SQL queries. They created a new user account named 'Barlati' and exploited a known cross-site scripting vulnerability (CVE-2021-26829) to display a pop-up message: 'Hacked by Barlati' on the human-machine interface (HMI). More alarmingly, they moved to disable real-time updates by removing connected programmable logic controllers (PLCs) from the data source and changing PLC setpoints—actions that could cause physical disruptions in a real facility.

"The attacker did not attempt privilege escalation or exploitation of the underlying host, focusing exclusively on the web application layer of the HMI," noted Forescout. This narrow focus suggests a blend of opportunism and growing capability, as they bypassed deeper system exploitation for immediate, high-impact meddling.

From DDoS to SCADA Sabotage: TwoNet's Dangerous Evolution

Initially known for distributed denial-of-service (DDoS) attacks against Ukraine-aligned entities, TwoNet has rapidly expanded its arsenal. Forescout uncovered the group's Telegram channel, where they bragged about targeting HMI and SCADA interfaces in 'enemy countries' and offered ransomware-as-a-service, hacker-for-hire schemes, and initial access to Polish industrial systems. This shift mirrors a broader trend among hacktivists leveraging geopolitical tensions to monetize attacks on operational technology (OT).

Why This Matters for Cybersecurity Defenses

The incident underscores several critical risks:
- Speed of Attack: Moving from access to disruption in under 26 hours leaves little margin for defense.
- Honeypot Value: Deception technologies like this decoy plant provide invaluable intelligence on attacker tactics, helping refine real-world protections.
- OT Vulnerabilities: Many industrial systems remain exposed due to weak authentication and internet-facing interfaces.

Forescout recommends urgent mitigations:
1. Enforce strong, unique credentials and remove system exposure to the public web.
2. Implement network segmentation and IP-based access controls to limit lateral movement.
3. Deploy protocol-aware monitoring to detect exploitation attempts or HMI changes early.

As hacktivists blur lines between ideological hacking and profit-driven cybercrime, this honeypot breach serves as a wake-up call: Critical infrastructure defenders must assume attackers are already probing their systems and prioritize layered, proactive security—before a real facility becomes the next victim.

Source: BleepingComputer