A pro-Russian hacktivist group known as TwoNet was caught targeting a decoy water treatment facility during a honeypot operation by Forescout’s Vedere Labs in September 2025.
The incident, which unfolded via unauthorized access to a human-machine interface (HMI), highlights an evolving trend of hacktivists pivoting from web defacement to more nuanced intrusions against operational technology (OT) and industrial control systems (ICS).
TwoNet, aligned with Russian interests, exploited weak authentication on the exposed HMI, logging in with default credentials (“admin/admin”). Once inside, the attacker attempted SQL enumeration using manual queries through the sql.shtm endpoint to map database tables and constraints.
When the first set of commands failed, a modified query succeeded in pulling schema data, revealing the attackers’ adaptive and hands-on approach.
The adversary also leveraged CVE-2021-26829, a known vulnerability in specific HMI platforms, to inject malicious JavaScript, altering the login page to display a defacement message.
Following this intrusion, the intruder created a separate account “BARLATI” to conduct persistent actions such as deleting controller data sources, manipulating programmable logic controller (PLC) setpoints, and disabling alarm logs to evade detection.
Flagged Infrastructure and Linked Attacks
The honeypot logs indicated initial activity from IP address 45.157.234[.]199 (AS58212, Dataforest GmbH) and identified user-agents consistent with Firefox on Linux systems.
The attack pattern suggested manual exploitation rather than automated tooling. Subsequent analysis revealed related Russian-linked activity leveraging CVE-2021-26828 to drop Java-based webshells onto HMI hosts, followed by extended tampering via the same interfaces.
These IP chains were traced to PQ Hosting Plus SRL, associated with EU-sanctioned entities known for enabling Russian cyber operations.
Parallel honeypots documented synchronized PLC-targeted intrusions from Iranian IPs, characterized by Metasploit Modbus module usage and cross-protocol exploitation attempts via Modbus, S7comm, and HTTP interfaces.
These sequences included reading and overwriting coil registers and altering device states, verifying increasing adversarial fluency with ICS-layer commands.
Forescout analysts concluded with moderate confidence that TwoNet’s OT operations likely involved coordination with allied hacktivist brands such as CyberTroops and OverFlame, which regularly exchange intelligence, infrastructure, and tools.
These alliances amplify threat scalability by recombining personnel and tactics across rebranded entities.
Recommended Hardening Measures
To mitigate similar intrusions, experts emphasize eliminating default passwords, removing direct internet exposure of IoT and OT systems, enforcing strong authentication on all administrative interfaces, and segmenting networks through defense-in-depth architectures.
Continuous monitoring with OT-aware deep packet inspection (DPI) is crucial for detecting unauthorized writes, HMI changes, or anomalous protocol activity within Modbus and S7 environments.
Indicators of Compromise (IoCs):
45.157.234[.]19987.150.146[.]20795.90.199[.]75212.83.190[.]552.181.103[.]232
