Humiliation for Pro-Russian Hackers 'TwoNet' After Attacking Decoy Water Utility Honeypot
Hacktivist Group TwoNet Publicly Brags About Hacking Dutch Water Utility, Only to Find It Was a Forescout Honeypot
Related Entities
Full Report
Executive Summary
In a notable cybersecurity event, the pro-Russian hacktivist group TwoNet was publicly exposed for bragging about an attack on a target that was, in fact, a decoy. The group had claimed responsibility for disrupting a Dutch water utility's operational technology (OT) environment. However, research published by cybersecurity firm Forescout on October 10, 2025, revealed that the hacktivists were lured into a sophisticated honeypot designed to mimic an industrial control system (ICS). An attacker from the group, using the alias "Barlati," accessed the decoy's Human-Machine Interface (HMI) with default credentials, defaced the system, and performed actions that would be disruptive in a real-world scenario. This incident not only serves as a public humiliation for the hacktivist group but also provides valuable, real-world insight into the tactics, techniques, and procedures (TTPs) of actors targeting critical infrastructure.
Incident Timeline
- Early 2025: The TwoNet hacktivist group emerges, initially focusing on DDoS attacks.
- September 2025: TwoNet shifts focus to ICS/SCADA systems. An attacker named "Barlati" gains access to the Forescout honeypot.
- Late September 2025: TwoNet posts on its Telegram channel, claiming a successful attack against a Dutch water utility, providing screenshots from the honeypot as 'proof'. Shortly after, the group reportedly ceases operations.
- October 10, 2025: Forescout publishes its research, revealing the 'attack' was on their decoy system.
Technical Analysis
The attacker's actions within the honeypot were straightforward but demonstrate a clear intent to cause disruption.
- Initial Access: The attacker gained access to the HMI using the default credentials
admin/admin. This highlights the persistent danger of using weak or default passwords on internet-facing ICS devices. - Execution & Impact: Once inside, the attacker performed several malicious actions:
- Defaced the HMI login page with the message "HACKED BY BARLATI, FUCK".
- Changed system configuration settings.
- Disabled alarms within the decoy system.
These actions, while harmless in the honeypot, mimic the initial stages of a real ICS attack aimed at causing physical disruption.
MITRE ATT&CK for ICS TTPs
T0885 - Default Credentials: The initial access vector used by the attacker.T0820 - HMI: The attacker directly manipulated the HMI to alter the process and deface the interface.T0845 - Inhibit Response Function: Disabling alarms is a classic tactic to prevent operators from noticing a dangerous state.T0831 - Manipulation of View: Defacing the HMI alters the operator's view of the system.
Impact Assessment
The direct impact of this specific incident was zero, as the target was a decoy. However, the event is significant for several reasons:
- Threat Intelligence Goldmine: It provided security researchers with high-fidelity data on how hacktivist groups approach and interact with ICS targets.
- Demonstrates Hacktivist Threat: It validates that politically motivated but often unskilled groups are actively attempting to breach critical infrastructure, even if they lack the sophistication to differentiate a real target from a fake one.
- Highlights Basic Security Failures: The success of the initial access using default credentials serves as a stark reminder that many real-world systems remain vulnerable to the most basic attacks.
Cyber Observables for Detection
| Type | Value | Description | Context | Confidence |
|---|---|---|---|---|
| command_line_pattern | admin/admin |
Login attempts using default credentials on any internet-facing system, especially HMI/ICS platforms. | Authentication logs, SIEM | high |
| other | HMI Page Defacement |
Any unauthorized modification to HMI display content is a clear indicator of compromise. | File Integrity Monitoring, Visual inspection | high |
| other | Unexpected Alarm Disablement |
Alarms being disabled outside of a scheduled maintenance window is a major red flag. | ICS/SCADA audit logs | high |
Detection & Response
- Authentication Monitoring: Implement robust monitoring for all authentication attempts to internet-facing ICS components. Immediately alert on the use of default credentials or repeated failed login attempts. This is a key part of D3FEND's Authentication Event Thresholding (D3-ANET).
- Configuration Change Monitoring: Use configuration management or integrity monitoring tools to alert on any unauthorized changes to HMI configurations or control logic.
- Deception Technology: This incident is a testament to the value of honeypots. Deploying ICS-specific honeypots can provide early warnings of targeting and yield valuable threat intelligence.
Mitigation
- Eliminate Default Credentials: The most critical mitigation is to change all default passwords on all devices and applications, especially those that are network-accessible. This is a core tenet of D3FEND's Strong Password Policy (D3-SPP).
- Network Segmentation: Isolate ICS/OT networks from corporate IT networks and the internet. Use a DMZ architecture to control all access. This is D3FEND's Network Isolation (D3-NI).
- Vulnerability Management: Regularly scan for and patch vulnerabilities in ICS components, just as you would in an IT environment.
Timeline of Events
MITRE ATT&CK Mitigations
Enforce strong, unique passwords and, most importantly, change all default credentials before deploying any system.
Isolate OT networks from IT networks and the internet to prevent unauthorized access to critical control systems.
Implement comprehensive logging and auditing of all activities on HMIs and other ICS components to detect unauthorized changes.
Require individual user accounts for all operators instead of shared accounts, and implement MFA where possible.
D3FEND Defensive Countermeasures
The TwoNet attacker's success hinged entirely on the use of default credentials (admin/admin). The most fundamental defense for any Industrial Control System is to enforce a strong password policy. This goes beyond complexity and length requirements; it must include a mandatory procedure to change ALL default passwords on every device—HMIs, PLCs, switches, etc.—before they are connected to a network. This simple act of cyber hygiene would have completely prevented this specific intrusion. Asset management programs must include a field to track whether default credentials have been changed, and this should be audited regularly.
No HMI for a water utility should be directly accessible from the public internet. This incident underscores the critical need for network isolation in OT environments. Critical control systems should reside on a completely separate, air-gapped, or heavily firewalled network segment. All access from the IT network or the internet should be brokered through a secure DMZ with jump hosts that require multi-factor authentication. This architectural control ensures that even if an attacker identifies the public IP of a facility, they cannot reach the sensitive control systems directly, forcing them to navigate multiple layers of defense.
This entire event is a powerful advertisement for the use of deception technology. By deploying a high-interaction honeypot that accurately mimics their real ICS environment, Forescout was able to gather invaluable intelligence on an active threat actor's TTPs without any risk to actual infrastructure. Water utilities and other critical infrastructure operators should consider deploying similar decoy environments. These decoys act as an early warning system, detecting attackers during their reconnaissance or initial exploitation phases. The intelligence gathered can then be used to strengthen the defenses of the real production environment against the observed attack methods.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats