EXECUTIVE SUMMARY
Honeypots are decoy systems exposed to the internet to lure attackers and collect intelligence on their tactics. Previously, our AI-generated –healthcare clinic– honeypot captured ransomware attempts, but recent activity targeted a –water treatment utility– honeypot. A pro-Russian hacktivist group, TwoNet falsely claimed responsibility for a real-world attack on Telegram, though the compromise affected only the honeypot. This highlights hacktivists– growing interest in operational technology and industrial control systems (OT/ICS). Honeypot intelligence provides critical insight into attacker methods, target selection, and emerging threat networks. Observing such activity helps organizations in utilities and critical infrastructure anticipate threats, particularly as actors exploit default credentials and known vulnerabilities.
TwoNet–s attack began with default HMI credentials and SQL queries, eventually extracting schema information. The attackers created a user account –BARLATI– and carried out HMI defacement, PLC manipulation, deletion of data sources, and log evasion over several hours. The focus was on the web application layer, with no host-level exploitation. Intelligence suggests TwoNet blends legacy DDoS tactics with OT/ICS claims and leverages Telegram for signaling doxing, and commercial offerings like ransomware-as-a-service. Additional honeypot activity revealed Russian-linked and Iranian-sourced IPs targeting HMIs and PLCs via Modbus, S7comm, and HTTP, demonstrating manual operation, multi-protocol knowledge, and commodity tooling. The combined observations show how relatively low-skilled actors can interact with OT/ICS systems and highlight the value of honeypots for monitoring both claimed and unclaimed attacks.
TwoNet case shows hacktivist activity is evolving from DDoS and defacement to OT/ICS targeting. While claims should be treated cautiously, monitoring channels provides insight into intent, tools, and emerging alliances. Group collaborations like OverFlame and Z-PENTEST accelerate capability sharing, enabling smaller groups to scale. Utilities, especially water and power sectors, remain attractive targets due to operational impact and security gaps. Manual reconnaissance and tampering by opportunistic or state-linked actors further underscore the persistent threat. Despite the ephemeral nature of hacktivist brands, individual actors and tactics persist, making it essential to track people, infrastructure, and alliances. Overall, the incident reinforces the importance of intelligence-driven defenses and continuous visibility in safeguarding critical infrastructure.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
|---|---|---|---|
| Initial Access | T1078.001 | Valid Accounts | Default Accounts |
| Initial Access | T1190 | Exploit Public-Facing Application | – |
| Persistence | T1136.001 | Create Account | Local Account |
| Persistence | T1505.003 | Server Software Component | Web Shell |
| Defense Evasion | T1562.001 | Impair Defenses | Disable or Modify Tools |
| Impact | T1491.001 | Defacement | Internal Defacement |
| Impact | T0831 | Manipulation of Control | – |
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/pro-russian-hacktivist-group-twonet-exposed-for-fabricating-critical-infrastructure-attacks-to-boost-reputation/
https://www.forescout.com/blog/anatomy-of-a-hacktivist-attack-russian-aligned-group-targets-otics/