Pro-Russian TwoNet Hacktivists Fabricate Water Utility Attacks by Targeting Security Honeypots
A pro-Russian hacktivist group known as TwoNet falsely claimed responsibility for hacking a Western water treatment plant, when in reality, their attack targeted a honeypot system set up by security researchers at Forescout. The group boasted on Telegram about their supposed success, including defacing a human-machine interface (HMI) login page with a message, but Forescout confirmed that the system was a decoy designed to attract and study attackers. TwoNet's intrusion originated from an IP address registered to a German hosting provider, which had little prior association with malicious activity. The attackers gained access to the HMI using default credentials ('admin'/'admin'), highlighting the ongoing risk posed by weak authentication practices in critical infrastructure environments. After gaining access, the attacker executed SQL queries to enumerate the database schema and created a new user account under the alias "BARLATI." The group then exploited a known vulnerability, CVE-2021-26829, to alter the login page and display their defacement message. Forescout's analysis revealed that TwoNet's claims of compromising operational technology were fabricated, as the only system affected was the research honeypot. The incident underscores the ephemeral nature of hacktivist groups, with TwoNet ceasing operations by the end of September and its main Telegram handles going dark. Despite the group's short lifespan, the event serves as a warning that even unsophisticated actors can generate significant media attention and potentially influence public perception by fabricating attacks. Forescout emphasized that such groups often rebrand or join other collectives, maintaining a persistent threat to critical infrastructure. The use of honeypots by defenders remains a valuable tool for gathering intelligence on attacker tactics and motivations. The incident also highlights the importance of verifying claims of cyberattacks, especially when they involve critical infrastructure, to prevent unnecessary alarm and misinformation. Security researchers continue to monitor similar groups for signs of evolving tactics or renewed activity. The event demonstrates the ongoing cat-and-mouse dynamic between threat actors seeking notoriety and defenders leveraging deception to study and mitigate threats. Organizations are reminded to secure remote interfaces, avoid default credentials, and stay vigilant against both real and fabricated threats. The case also illustrates the role of public messaging and disinformation in modern cyber conflict, particularly among ideologically motivated groups. Finally, the exposure of TwoNet's fabricated attack provides actionable lessons for both defenders and policymakers in assessing and responding to claims of cyber incidents targeting essential services.
Sources
Related Stories
Pro-Russian Hacktivist Group TwoNet Compromises Water Treatment Facility Honeypot
Pro-Russian hacktivist group TwoNet recently targeted what they believed to be a real water treatment facility, which was in fact a sophisticated honeypot set up by cybersecurity researchers at Forescout. The group, previously known for distributed denial-of-service (DDoS) attacks, has shifted its focus to targeting operational technology (OT) in critical infrastructure, marking a significant escalation in their tactics. TwoNet gained initial access to the decoy plant by exploiting default credentials on the human-machine interface (HMI), specifically using 'admin/admin' to log in. Once inside, the attackers attempted to enumerate databases and succeeded after refining their SQL queries, demonstrating a methodical approach to reconnaissance. They created a new user account named 'Barlati' and exploited a known cross-site scripting (XSS) vulnerability, CVE-2021-26829, to display a defacement message on the HMI. Beyond defacement, TwoNet engaged in actions intended to disrupt plant operations, including disabling real-time process updates by removing programmable logic controllers (PLCs) from the data source list and altering PLC setpoints, which could have had dangerous consequences in a real facility. The attackers also attempted to disable logs and alarms, further indicating their intent to cause operational disruption and evade detection. Forescout researchers observed that the attackers did not attempt privilege escalation or exploitation of the underlying host, focusing their efforts on the web application layer. The entire attack sequence, from initial access to disruptive action, unfolded in approximately 26 hours, highlighting the group's efficiency and determination. TwoNet publicly claimed responsibility for the attack on their Telegram channel, falsely asserting it was a successful breach of real critical infrastructure. This incident is notable as it is the first time a hacktivist group has claimed an attack that researchers can confirm occurred on a honeypot. The event underscores the evolution of Russian hacktivism from DDoS attacks to more sophisticated OT intrusions with potential physical-world consequences. Security experts, including those from Deepwatch, have warned that such activities represent a growing asymmetric warfare capability, with hacktivist groups seeking to establish reputations as credible threats to critical infrastructure. The attack also involved attempts to manipulate the Modbus protocol, a common industrial control system protocol, further demonstrating the attackers' technical knowledge. While there is no direct evidence linking TwoNet's actions to Russian state direction, their tactics and public claims serve to amplify their perceived threat. The incident provides valuable insight into the methods and motivations of modern hacktivist groups targeting critical infrastructure. It also highlights the importance of honeypots in understanding adversary behavior and improving defensive measures for real-world OT environments. The rapid progression from access to disruption in this case serves as a warning to operators of critical infrastructure about the need for robust security controls and monitoring.
5 months agoPro-Russia Hacktivist Attacks on Critical Infrastructure via Exposed VNC and OT Systems
Pro-Russia hacktivist groups, including Cyber Army of Russia Reborn (CARR), NoName057(16), Z-Pentest, and Sector16, have escalated their operations from DDoS attacks to targeting operational technology (OT) systems in critical infrastructure sectors such as water, food, agriculture, and energy. These groups exploit exposed Virtual Network Computing (VNC) connections with weak security, using tools like Nmap and brute-force attacks to gain access to human-machine interfaces (HMIs). Once inside, they manipulate system parameters, disable alarms, and cause operational disruptions, often publicizing their actions for propaganda purposes. The U.S. and international cybersecurity agencies have issued joint advisories detailing these tactics, highlighting the opportunistic nature of these attacks and the use of MITRE ATT&CK techniques ranging from reconnaissance to impact, including "loss of view" scenarios that force manual intervention. Recent U.S. government indictments and sanctions confirm that CARR was founded and directed by Russian military intelligence (GRU) as a means to conduct unattributable disruptive operations. Notable incidents attributed to these groups include attacks on public drinking water systems, resulting in water spills, and a Los Angeles meat processing facility, which suffered spoiled products and an ammonia leak. While the technical sophistication of these actors is limited, their ability to cause downtime, remediation costs, and occasional physical damage underscores the persistent risk posed by exposed OT systems and weak remote access protections in critical infrastructure environments.
2 months agoPro-Russia Hacktivist Attacks on Global Critical Infrastructure via Exposed VNC
Pro-Russia hacktivist groups have launched a series of opportunistic cyberattacks targeting critical infrastructure entities in the United States and globally. These groups, including Cyber Army of Russia Reborn, Z-Pentest, NoName057(16), and Sector16, exploit minimally secured, internet-facing virtual network computing (VNC) connections to gain access to operational technology (OT) control devices. The attacks are characterized by their relatively low sophistication and impact compared to advanced persistent threat actors, but have resulted in varying degrees of disruption, including physical damage to systems such as water treatment facilities and oil well operations. The hacktivists often seek publicity by exaggerating the effects of their attacks, and their targeting is largely opportunistic, based on the availability of vulnerable systems rather than strategic selection. Authorities including CISA, the FBI, NSA, Department of Energy, and international partners have issued joint advisories warning OT owners and operators to reduce the exposure of OT assets to the public internet, implement robust authentication, and adopt mature asset management practices. These advisories emphasize the importance of mapping data flows and access points to mitigate the risk of similar attacks. The guidance is part of a broader effort to address the growing threat posed by hacktivist groups leveraging accessible VNC devices to compromise critical infrastructure worldwide.
3 months ago