Listen to this Post

Introduction
In September 2025, cybersecurity researchers witnessed a stark evolution in hacktivist behavior. A pro-Russian group known as TwoNet attempted to compromise a decoy water treatment facility in a controlled honeypot operation conducted by Forescout’s Vedere Labs. Unlike traditional web defacement or simple ransomware attacks, this incident underscored a shift toward sophisticated intrusions targeting operational technology (OT) and industrial control systems (ICS). The attack revealed both the technical skill and adaptability of modern hacktivists and raised urgent questions about industrial cybersecurity preparedness.
Summary of the Incident
The attack began with TwoNet exploiting weak authentication on a human-machine interface (HMI), using default credentials (“admin/admin”) to gain unauthorized access. Once inside, the attackers attempted SQL enumeration to map database structures. Initial queries failed, but modified attempts succeeded, exposing schema data and highlighting their hands-on, adaptive approach.
TwoNet then leveraged a known HMI vulnerability, CVE-2021-26829, to inject malicious JavaScript, defacing the login page. The attackers created a persistent account named “BARLATI” and performed destructive actions, including deleting controller data sources, manipulating PLC setpoints, and disabling alarm logs to avoid detection.
Honeypot logs traced initial activity to IP 45.157.234[.]199 (AS58212, Dataforest GmbH) using Linux Firefox user agents, suggesting manual rather than automated exploitation. Analysis revealed linked operations leveraging CVE-2021-26828 to drop Java-based webshells, followed by further tampering via the same interfaces.
Connections were found to EU-sanctioned infrastructure providers such as PQ Hosting Plus SRL, indicating ties to Russian cyber operations. Parallel honeypots recorded synchronized PLC-targeted intrusions from Iranian IPs, using Metasploit’s Modbus module and exploiting Modbus, S7comm, and HTTP interfaces. These sequences involved reading and overwriting coil registers and altering device states, demonstrating increasing fluency in ICS-level attacks.
Forescout analysts concluded that TwoNet likely coordinated with allied hacktivist groups like CyberTroops and OverFlame. These alliances enable intelligence sharing, recombination of personnel, and tactics across rebranded entities, amplifying threat scalability.
Experts recommend hardening OT environments by eliminating default passwords, removing internet exposure for IoT/OT devices, enforcing strong authentication, segmenting networks, and monitoring using OT-aware deep packet inspection (DPI) to detect anomalous writes or protocol misuse.
Indicators of Compromise (IoCs) identified include:
45.157.234[.]199
87.150.146[.]207
95.90.199[.]75
212.83.190[.]55
2.181.103[.]232
What Undercode Say:
TwoNet’s recent activity signals a broader shift in hacktivist strategy from opportunistic online vandalism toward highly targeted attacks on critical infrastructure. Exploiting exposed HMIs, default credentials, and legacy vulnerabilities demonstrates a preference for low-barrier entry points that can escalate into potentially catastrophic OT disruptions. Unlike automated malware campaigns, these attacks are clearly manual, iterative, and adaptive.
The creation of persistent accounts like “BARLATI” suggests a focus on long-term footholds rather than one-off defacements. By manipulating PLC setpoints and disabling alarm logs, the attackers show knowledge of ICS operational dependencies, raising concerns about safety-critical processes in water, energy, and manufacturing facilities. The use of CVE-2021-26829 and CVE-2021-26828 also highlights ongoing exploitation of patched or unpatched vulnerabilities, emphasizing the need for diligent vulnerability management.
The coordination with other hacktivist groups such as CyberTroops and OverFlame is particularly troubling. By pooling tools, infrastructure, and operational knowledge, these alliances allow a multiplicative effect: one group’s success informs others, while shared infrastructure obscures attribution and complicates mitigation. The involvement of sanctioned hosting providers further underscores the geopolitical dimension of these attacks, blending hacktivism with state-aligned cyber operations.
Interestingly, parallel Iranian-origin PLC attacks observed in honeypots indicate a global trend: adversaries are no longer siloed. Multiple actors now actively probe, read, and manipulate industrial protocols such as Modbus and S7comm, signaling growing familiarity with ICS architecture. These operations, once limited to nation-state actors, are now accessible to motivated hacktivists with moderate technical skills but substantial collaborative networks.
Mitigation requires not just technical fixes but organizational vigilance. Eliminating default credentials, network segmentation, and strong authentication are critical first steps. Continuous OT-aware monitoring must evolve from simple anomaly detection to full protocol analysis, capable of identifying subtle manipulations like coil register overwrites or unauthorized logic changes. The Forescout findings serve as a blueprint for proactive defense: anticipate adversary adaptability, enforce layered security, and cultivate threat intelligence partnerships.
Finally, the increasing sophistication of hacktivists raises questions about the future of industrial cybersecurity. If adversaries continue exploiting vulnerabilities manually while sharing knowledge across networks, the attack surface will expand rapidly. Organizations must embrace both technological and strategic defenses, integrating real-time monitoring with incident simulation exercises to preempt operational disruptions.
🔍 Fact Checker Results:
✅ TwoNet exploited default credentials and known HMI vulnerabilities.
✅ IPs linked to EU-sanctioned providers were involved in operations.
❌ No evidence suggests actual water treatment disruption occurred—attack was simulated in a honeypot.
📊 Prediction:
🌐 Hacktivist campaigns targeting OT and ICS will likely increase in frequency and sophistication over the next 12–18 months.
⚡ Expect more alliances between hacktivist networks, combining intelligence and toolsets to achieve strategic objectives.
🛡 Organizations that fail to eliminate exposed HMIs or maintain segmented, monitored networks may face operational disruptions beyond mere defacement.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.reddit.com/r/AskReddit
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




