Pro-Russian Hacktivist Group TwoNet Compromises Water Treatment Facility Honeypot
Pro-Russian hacktivist group TwoNet recently targeted what they believed to be a real water treatment facility, which was in fact a sophisticated honeypot set up by cybersecurity researchers at Forescout. The group, previously known for distributed denial-of-service (DDoS) attacks, has shifted its focus to targeting operational technology (OT) in critical infrastructure, marking a significant escalation in their tactics. TwoNet gained initial access to the decoy plant by exploiting default credentials on the human-machine interface (HMI), specifically using 'admin/admin' to log in. Once inside, the attackers attempted to enumerate databases and succeeded after refining their SQL queries, demonstrating a methodical approach to reconnaissance. They created a new user account named 'Barlati' and exploited a known cross-site scripting (XSS) vulnerability, CVE-2021-26829, to display a defacement message on the HMI. Beyond defacement, TwoNet engaged in actions intended to disrupt plant operations, including disabling real-time process updates by removing programmable logic controllers (PLCs) from the data source list and altering PLC setpoints, which could have had dangerous consequences in a real facility. The attackers also attempted to disable logs and alarms, further indicating their intent to cause operational disruption and evade detection. Forescout researchers observed that the attackers did not attempt privilege escalation or exploitation of the underlying host, focusing their efforts on the web application layer. The entire attack sequence, from initial access to disruptive action, unfolded in approximately 26 hours, highlighting the group's efficiency and determination. TwoNet publicly claimed responsibility for the attack on their Telegram channel, falsely asserting it was a successful breach of real critical infrastructure. This incident is notable as it is the first time a hacktivist group has claimed an attack that researchers can confirm occurred on a honeypot. The event underscores the evolution of Russian hacktivism from DDoS attacks to more sophisticated OT intrusions with potential physical-world consequences. Security experts, including those from Deepwatch, have warned that such activities represent a growing asymmetric warfare capability, with hacktivist groups seeking to establish reputations as credible threats to critical infrastructure. The attack also involved attempts to manipulate the Modbus protocol, a common industrial control system protocol, further demonstrating the attackers' technical knowledge. While there is no direct evidence linking TwoNet's actions to Russian state direction, their tactics and public claims serve to amplify their perceived threat. The incident provides valuable insight into the methods and motivations of modern hacktivist groups targeting critical infrastructure. It also highlights the importance of honeypots in understanding adversary behavior and improving defensive measures for real-world OT environments. The rapid progression from access to disruption in this case serves as a warning to operators of critical infrastructure about the need for robust security controls and monitoring.
Timeline
Oct 9, 2025
Forescout discloses honeypot operation and warns of OT escalation
On October 9, 2025, Forescout publicly reported that TwoNet had attacked its water-treatment honeypot and highlighted the group's evolution from DDoS activity to attempted OT disruption. The company warned that similar tradecraft against real critical infrastructure could be highly disruptive and recommended stronger authentication, segmentation, restricted exposure, and protocol-aware monitoring.
Sep 3, 2025
TwoNet falsely claims Telegram attack on real water utility
After compromising the decoy environment, TwoNet publicly portrayed the incident on Telegram as a successful attack on real critical infrastructure. The claim was false because the target was a researcher-operated fake water treatment facility.
Sep 2, 2025
TwoNet disrupts honeypot operations within about 26 hours
Roughly 26 hours after gaining access, the attackers removed PLCs from the HMI data source list, changed PLC setpoints, and attempted to disable logs and alarms. Researchers characterized the sequence as a rapid progression from access to disruptive OT-style actions.
Sep 2, 2025
Attackers enumerate systems, create user, and exploit HMI XSS flaw
After initial access, TwoNet enumerated databases, created a new user account for persistence, and exploited the old stored XSS vulnerability CVE-2021-26829 to deface the HMI. Forescout assessed the activity remained focused on the HMI web application layer rather than host-level compromise or privilege escalation.
Sep 1, 2025
TwoNet breaches water-treatment honeypot using default HMI credentials
In September 2025, TwoNet accessed what it believed was a water treatment facility by logging into the HMI with default credentials such as admin/admin. The environment was actually a realistic honeypot created by researchers to observe adversary behavior.
Sep 1, 2025
TwoNet advertises interest in SCADA and HMI targets on Telegram
Before the honeypot incident, TwoNet's Telegram activity showed interest in targeting HMI/SCADA interfaces in 'enemy countries' and offering cybercrime services, including claimed access to SCADA systems in Poland. Researchers cited this as evidence of the group's shift toward OT-related targeting.
Jan 1, 2025
TwoNet operates mainly as a DDoS-focused hacktivist group
Earlier in 2025, Intel471 assessed the pro-Russian group TwoNet as primarily focused on DDoS activity, including use of MegaMedusa Machine malware. Later reporting said the group began trying to rebrand as a broader cybercrime operation.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Malware
Organizations
Affected Products
Sources
Related Stories
Pro-Russian TwoNet Hacktivists Fabricate Water Utility Attacks by Targeting Security Honeypots
A pro-Russian hacktivist group known as TwoNet falsely claimed responsibility for hacking a Western water treatment plant, when in reality, their attack targeted a honeypot system set up by security researchers at Forescout. The group boasted on Telegram about their supposed success, including defacing a human-machine interface (HMI) login page with a message, but Forescout confirmed that the system was a decoy designed to attract and study attackers. TwoNet's intrusion originated from an IP address registered to a German hosting provider, which had little prior association with malicious activity. The attackers gained access to the HMI using default credentials ('admin'/'admin'), highlighting the ongoing risk posed by weak authentication practices in critical infrastructure environments. After gaining access, the attacker executed SQL queries to enumerate the database schema and created a new user account under the alias "BARLATI." The group then exploited a known vulnerability, CVE-2021-26829, to alter the login page and display their defacement message. Forescout's analysis revealed that TwoNet's claims of compromising operational technology were fabricated, as the only system affected was the research honeypot. The incident underscores the ephemeral nature of hacktivist groups, with TwoNet ceasing operations by the end of September and its main Telegram handles going dark. Despite the group's short lifespan, the event serves as a warning that even unsophisticated actors can generate significant media attention and potentially influence public perception by fabricating attacks. Forescout emphasized that such groups often rebrand or join other collectives, maintaining a persistent threat to critical infrastructure. The use of honeypots by defenders remains a valuable tool for gathering intelligence on attacker tactics and motivations. The incident also highlights the importance of verifying claims of cyberattacks, especially when they involve critical infrastructure, to prevent unnecessary alarm and misinformation. Security researchers continue to monitor similar groups for signs of evolving tactics or renewed activity. The event demonstrates the ongoing cat-and-mouse dynamic between threat actors seeking notoriety and defenders leveraging deception to study and mitigate threats. Organizations are reminded to secure remote interfaces, avoid default credentials, and stay vigilant against both real and fabricated threats. The case also illustrates the role of public messaging and disinformation in modern cyber conflict, particularly among ideologically motivated groups. Finally, the exposure of TwoNet's fabricated attack provides actionable lessons for both defenders and policymakers in assessing and responding to claims of cyber incidents targeting essential services.
1 months ago
Pro-Russia Hacktivist Attacks on Critical Infrastructure via Exposed VNC and OT Systems
Pro-Russia hacktivist groups, including Cyber Army of Russia Reborn (CARR), NoName057(16), Z-Pentest, and Sector16, have escalated their operations from DDoS attacks to targeting operational technology (OT) systems in critical infrastructure sectors such as water, food, agriculture, and energy. These groups exploit exposed Virtual Network Computing (VNC) connections with weak security, using tools like Nmap and brute-force attacks to gain access to human-machine interfaces (HMIs). Once inside, they manipulate system parameters, disable alarms, and cause operational disruptions, often publicizing their actions for propaganda purposes. The U.S. and international cybersecurity agencies have issued joint advisories detailing these tactics, highlighting the opportunistic nature of these attacks and the use of MITRE ATT&CK techniques ranging from reconnaissance to impact, including "loss of view" scenarios that force manual intervention. Recent U.S. government indictments and sanctions confirm that CARR was founded and directed by Russian military intelligence (GRU) as a means to conduct unattributable disruptive operations. Notable incidents attributed to these groups include attacks on public drinking water systems, resulting in water spills, and a Los Angeles meat processing facility, which suffered spoiled products and an ammonia leak. While the technical sophistication of these actors is limited, their ability to cause downtime, remediation costs, and occasional physical damage underscores the persistent risk posed by exposed OT systems and weak remote access protections in critical infrastructure environments.
1 months ago
Pro-Russia Hacktivist Attacks on Global Critical Infrastructure via Exposed VNC
Pro-Russia hacktivist groups have launched a series of opportunistic cyberattacks targeting critical infrastructure entities in the United States and globally. These groups, including Cyber Army of Russia Reborn, Z-Pentest, NoName057(16), and Sector16, exploit minimally secured, internet-facing virtual network computing (VNC) connections to gain access to operational technology (OT) control devices. The attacks are characterized by their relatively low sophistication and impact compared to advanced persistent threat actors, but have resulted in varying degrees of disruption, including physical damage to systems such as water treatment facilities and oil well operations. The hacktivists often seek publicity by exaggerating the effects of their attacks, and their targeting is largely opportunistic, based on the availability of vulnerable systems rather than strategic selection. Authorities including CISA, the FBI, NSA, Department of Energy, and international partners have issued joint advisories warning OT owners and operators to reduce the exposure of OT assets to the public internet, implement robust authentication, and adopt mature asset management practices. These advisories emphasize the importance of mapping data flows and access points to mitigate the risk of similar attacks. The guidance is part of a broader effort to address the growing threat posed by hacktivist groups leveraging accessible VNC devices to compromise critical infrastructure worldwide.
1 months ago