A sophisticated pro-Russian hacktivist group known as TwoNet has successfully breached critical infrastructure systems, marking a dangerous evolution from traditional distributed denial-of-service attacks to targeted infiltration of operational technology and industrial control systems. The group's latest campaign demonstrates advanced capabilities in credential harvesting and system manipulation, raising serious concerns about the security of essential utilities worldwide.
In September 2025, TwoNet staged its first documented OT/ICS intrusion against a water treatment utility honeypot operated by Forescout's Vedere Labs. The attack commenced at 08:22 AM UTC, originating from IP address 45.157.234[.]199 registered to AS58212 (dataforest GmbH), a hosting provider with known connections to Russian cyber operations. The hacktivists gained initial access using default credentials (admin/admin) on the facility's human-machine interface, immediately proceeding to execute sophisticated SQL reconnaissance queries. When their initial database enumeration attempts failed, the attackers demonstrated remarkable persistence by modifying their approach and successfully extracting comprehensive schema information through the HMI's sql.shtm interface.
The successful SQL query revealed the group's deep understanding of industrial database structures:
SELECT t.TABLENAME, c.COLUMNNAME, c.COLUMNNUMBER,
c.COLUMNDATATYPE, c.COLUMNDEFAULT, c.AUTOINCREMENTVALUE,
c.AUTOINCREMENTSTART, c.AUTOINCREMENTINC
FROM sys.systables t
JOIN sys.syscolumns c
ON t.TABLEID = c.REFERENCEID
WHERE t.tabletype =
'T'
ORDER BY t.TABLENAME, c.COLUMNNUMBER;
Seven hours after initial compromise, TwoNet created a backdoor user account named "BARLATI" and launched a coordinated attack against the facility's operational systems. The group exploited CVE-2021-26829 to inject malicious JavaScript into the HMI login page, creating persistent defacement that triggered pop-up alerts reading "HACKED BY BARLATI, FUCK" whenever administrators accessed the system.
The attackers then systematically dismantled the facility's monitoring capabilities by deleting PLC data sources, halting real-time updates essential for safe operations. They manipulated programmable logic controller setpoints through the HMI interface and disabled critical logging and alarm systems to evade detection. This methodical approach demonstrates an understanding of industrial processes that extends far beyond typical hacktivist capabilities.
Notably, the attackers confined their activities to the web application layer, making no attempts to escalate privileges or exploit underlying host components—suggesting either operational discipline or technical limitations.
TwoNet emerged in January 2025 as a traditional DDoS-focused hacktivist group using the MegaMedusa Machine malware. However, their pivot to OT/ICS targeting coincided with launching a new Telegram channel on September 14, where they publicly claimed responsibility for attacks against water utilities, solar installations, and biomass-boiler control panels across Europe.
Forescout researchers identified evidence of coordination between TwoNet and allied hacktivist groups including OverFlame and CyberTroops. These alliances enable rapid capability development through shared tooling, intelligence, and access, significantly accelerating the threat landscape's evolution. The collaborative approach allows smaller hacktivist cells to achieve impact typically associated with more sophisticated threat actors.
The attack's technical fingerprints provide valuable intelligence about TwoNet's operational methods. The attackers used a Linux-based Firefox browser (user-agent string: "Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0"), though user-agent spoofing remains possible. Evidence suggests manual command entry rather than automated tooling, indicating hands-on operator involvement throughout the intrusion.
Parallel honeypot operations documented synchronized attacks from Iranian IP addresses using Metasploit Modbus modules and cross-protocol exploitation attempts via Modbus, S7comm, and HTTP interfaces. These complementary attacks included reading and overwriting coil registers and altering device states, demonstrating increasing adversarial fluency with industrial control system protocols.
The TwoNet campaign represents a broader trend of hacktivist groups targeting utilities due to their lagging security budgets and widespread exposure of OT/ICS devices to the internet. Unlike traditional cybercriminals motivated by financial gain, these politically motivated actors seek maximum disruption and publicity, making critical infrastructure particularly attractive targets.
The group's activities span multiple European countries, with particular focus on nations they consider adversarial to Russian interests. Their demonstrated capabilities include database enumeration, system defacement, process disruption, and credential harvesting from internet-exposed industrial devices—a concerning escalation from simple website defacements.
Security experts emphasize the critical importance of eliminating default passwords, removing direct internet exposure of industrial systems, and implementing robust network segmentation. Organizations should deploy OT-aware deep packet inspection systems capable of detecting unauthorized writes, HMI modifications, and anomalous protocol activity within Modbus and S7 environments.
Continuous monitoring combined with high-fidelity deception technologies proves essential for distinguishing genuine threats from hacktivist propaganda. The honeypot intelligence gathered in this campaign provides concrete indicators of compromise and clarifies actual tactics versus exaggerated claims common in hacktivist communications.
Key Indicators of Compromise:
As hacktivist groups continue expanding beyond traditional DDoS attacks to target industrial control systems, critical infrastructure organizations must recognize that the threat landscape has fundamentally shifted. The combination of political motivation, technical sophistication, and international coordination represents an unprecedented challenge requiring immediate and comprehensive defensive measures.