Redazione RHC : 24 October 2025 09:57
In September, Forescout specialists detected a targeted attack on their honeypot server, which mimicked the control system of a water treatment plant. A new hacktivist group, TwoNet , operating in an environment associated with attacks on industrial infrastructure, claimed responsibility for the attack.
The group members accessed the interface, modified settings, deleted data sources, and disabled some processes without attempting to gain control of the host. Their goal was to demonstrate their ability to interfere and then spread the accusation of “hijacking a real system” on a Telegram channel.
The attack began in the morning from an IP address registered with the German hosting provider Dataforest GmbH. Access to the system was gained using the default “admin/admin” credentials. After logging in, the attackers attempted to execute SQL queries to gather information about the database structure and then created a new account with the username ” BARLATI .”
A few hours later, they returned with this username and replaced the text on the login page, triggering a pop-up window reading ” HACKED BY BARLATI .” They simultaneously deleted connected controllers, changed parameter values, and disabled logs and alerts. The CVE-2021-26829 vulnerability was used to falsify the page’s content.
TwoNet emerged in early 2025 and quickly gained visibility thanks to a combination of aggressive claims and chaotic activity . Initially, it specialized in DDoS attacks, but later shifted to attempts to interfere with industrial process control systems . The group’s Telegram channel publishes screenshots and videos purportedly from SCADA and HMI interfaces of various companies. The posts mention “hacking” solar panels, heating systems, and biomass boilers in European countries, but there is no evidence to support these claims. Analysts note that many of the images come from publicly available demo panels.
Associated TwoNet accounts, including BARLATI and DarkWarios, also promoted commercial offers: control panel access rentals, DDoS services, and even ransomware sales at inflated prices. This suggests an attempt to monetize attention and present themselves as part of a larger organization. In the weeks preceding the channel’s closure, members of the group announced alliances with other hacktivist groups, including CyberTroops and OverFlame , allowing them to promote each other and create the appearance of a larger network.
Experts note that their honeypots have also recorded other attacks on industrial controllers and Modbus protocols, often originating from European and Middle Eastern addresses. In one case, attackers used default passwords and then exploited the CVE-2021-26828 vulnerability to inject a web shell and gain access to HMI settings. Another incident involved coordinated attempts to modify PLC parameters via Modbus and S7, which could potentially disrupt processes on real systems.
The analysis revealed that attackers use standard tools, such as Meta Sploit and pre-made scripts , and their behavior indicates manual monitoring and basic knowledge of industry protocols. These attacks are often carried out without prior scanning and often target unprotected internet-accessible devices.
According to Forescout, hacktivist groups are increasingly targeting industrial targets. While the reported attacks are unconfirmed, they demonstrate a trend of interest and the potential for repeated attacks against real targets. Companies in the water and energy sectors are particularly vulnerable, as access to operator or controller interfaces often requires no authentication, and logging and monitoring are conducted selectively.
Experts advise control system owners to avoid weak authentication and the use of default passwords, not to expose interfaces directly to the Internet, to strictly segment IT and OT networks, to restrict access to administrative ports using IP lists, and to implement monitoring with deep packet inspection capable of tracking Modbus and S7 commands. It’s also important to pay attention to outgoing traffic to prevent devices from being used in Distributed Denial of Service (DDoS) attacks.
Hacktivism, according to Forescout, is becoming an arena where cyber prestige is more important than results . Groups disappear, change names, and reappear, but their members and methods remain. This is why honeypot analysis is becoming a key tool for understanding the direction of new waves of attacks on industrial infrastructure.
Redazione