A Russia-aligned hacktivist gang has been tricked into targeting a honeypot disguised as a water treatment utility, cybersecurity company Forescout has revealed.
The gang, TwoNet, claimed responsibility for an attack on the water treatment utility, believing they had conducted a real hack, on its Telegram channel.
The group logged into the honeypot’s human-machine interface (HMI) for a range of purposes, including defacement, process disruption, manipulation and evasion.
TwoNet used default credentials for initial access, and exploited weaknesses in the industrial honeypot to carry out these activities.
The researchers said the attack mirrors the tactics used by other hacktivist groups that have shifted from DDoS and defacement towards targeting operational technology (OT) and industrial control system (ICS) operations.
Honeypots are decoy systems deliberately exposed to the internet to lure attackers and capture their tactics.
Forescout noted it is the first time a threat actor has publicly claimed an attack that has occurred on one of its honeypots.
TwoNet Hacktivist Group
TwoNet first appeared on a Telegram channel in January 2025, initially focusing on DDoS attacks leveraging the MegaMedusa Machine malware.
In September, the group launched a new Telegram channel to claim activity, with a separate account rotating invite links to resist takedown.
Messages on this channel indicate the group has shifted from pure DDoS to a broader mix of activity, including OT/ICS targeting.
A message posted in an affiliated group, CyberTroops, stated that TwoNet was ceasing operations on September 30.
The researchers said this activity is part of a broader trend in the hacktivist ecosystem, where there are regular formations of alliances and rebrands.
“This underscores the ephemeral nature of the ecosystem where channels and groups are short-lived, while operators typically persist by rebranding, shifting alliances, joining other groups, learning new techniques or targeting other organizations,” Forescout noted.
Analysis of Honeypot Attack
The attack on the Forescout honeypot occurred just after TwoNet launched its new Telegram channel in September.
The intrusion came from an IP address linked to a German hosting provider. No prior malicious activity was linked to the address.
The attacker appeared to use the Firefox browser on the Linux operating system. They initially logged into the honeypot’s HMI using the default credentials admin/admin.
The threat actor then attempted database enumeration, successfully extracting schema information with a second set of queries. The researchers believe these queries were entered directly through the HMI web interface.
Next, the attacker created a new user account ‘BARLATI’, which was used to log in to the HMI over a period of around 20 hours. During that window, they conducted four actions:
- Defacement: Exploitation of the vulnerability CVE-2021-26829 to change the HMI login page description to: [<]script>alert(“HACKED BY BARLATI, FUCK”)
- Process disruption: Deletion of connected PLCs as data sources, disabling real-time updates
- Manipulation: Changing PLC setpoints via the HMI
- Evasion: Modification of system settings to disable logs and alarms
“The attacker did not attempt privilege escalation or exploitation of the underlying host, focusing exclusively on the web application layer of the HMI,” the researchers wrote in the Forescout report published on October 9.
Security Recommendations for OT Operators
The researchers set out a range of recommendations for security teams to mitigate the tactics used in the TwoNet honeypot attack. These include:
- Remove OT systems from direct internet exposure
- Use lots of segmentation
- Require authentication on all IoT/OT admin interfaces
- Disable anonymous/default accounts and enforce strong, unique credentials
- Deploy deep packet inspection (DPI) that creates alerts for: exploitation, password guessing, unauthorized writes and changes in HMI
- Monitor for devices used in distributed attacks, such as cameras and routers, and for unusual traffic from OT segments
They added that the case demonstrates that threat actors’ claims should be treated with caution.
“Hacktivist channels blend genuine incidents with exaggeration. Monitoring still yields value: intent, tooling, target selection, and emerging alliances,” the researchers advised.
