TwoNet Hackers Target Water Utility in Latest OT Cyberattack

Essential Insights

1. Hacktivist Groups Target Critical Infrastructure: In September 2025, TwoNet, a pro-Russian hacktivist group, targeted a water treatment plant honeypot, gaining access to the HMI to deface, disrupt, and manipulate systems, marking a significant escalation in OT/ICS attacks.

2. Emerging Tactics and Alliances: TwoNet expanded from DDoS to diverse operations, including propaganda, doxing, ransomware offerings, and hack-for-hire services, often sharing tactics and targets with affiliated hacktivist groups, demonstrating rapid growth and collaboration.

3. State-Linked and Criminal Threats: Attacks from Iran and Russia involving Modbus, S7, and HTTP protocols reveal inconsistent but targeted probing of OT and ICS environments, indicating both nation-state and criminal actors are actively exploring vulnerabilities.

4. Security Recommendations and Industry Implications: Forescout urges organizations to eliminate default credentials, enforce strong authentication, segment networks, restrict direct internet access, and utilize continuous monitoring to defend increasingly targeted critical infrastructure from evolving threats.

What’s the Problem?

In September 2025, cybersecurity researchers from Forescout uncovered a sophisticated attack on a cleverly designed honeypot that simulated a water treatment plant, where a pro-Russian hacktivist group called TwoNet gained unauthorized access to the plant’s human-machine interface (HMI). This group, aligned with Russian interests and capable of disruptive cyber activity, utilized default credentials to infiltrate the system, then conducted web-based operations such as defacing interfaces and attempting to manipulate critical processes. Their goal appeared to be to demonstrate their capabilities and claim publicity, as they later publicly boasted about the attack on their Telegram channel, trying to conceal their real intentions behind propaganda campaigns that included doxing and cyber extortion tactics.

Additionally, separate malicious activities linked to actors in Russia and Iran targeted programmable logic controllers (PLCs) and operational technology (OT) protocols like Modbus, revealing a broader pattern of threats to vital infrastructure. These attacks, observed through honeypots and network scans, exposed the evolving tactics of threat actors who are increasingly focusing on industrial control systems, often with limited sophistication but growing in ambition and coordination—highlighting the urgent need for utilities and infrastructure operators to bolster security measures such as robust authentication, network segmentation, and continuous monitoring. The report, authored by Forescout’s Vedere Labs, emphasizes that while some of these activities are overt and claimable, many remain covert, underscoring the complex and persistent nature of cyber threats targeting essential services worldwide.

Potential Risks

The recent Forescout research highlights the escalating cyber risks targeting critical infrastructure, evidenced by a September 2025 attack by the pro-Russian hacktivist group TwoNet on a honeypot mimicking a water treatment plant. By exploiting default credentials and operating through industrial protocols like Modbus and S7, the group gained access to human-machine interfaces, defaced systems, disrupted processes, and attempted evasion, reflecting evolving tactics that now include operational technology and industrial control systems (OT and ICS). Such activity underscores how hacktivist groups, often with connections to state actors like Russia and Iran, are transitioning from superficial DDoS or defacement to deeper, more dangerous intrusions into utilities—sectors already vulnerable due to limited security investments and awareness—posing significant threats to public safety and national security. These incidents reveal that while some attacker actions are superficial or misjudged, they signal a clear trend towards more sophisticated, collaborative, and potentially damaging campaigns, emphasizing the critical need for robust cybersecurity measures like network segmentation, strong authentication, continuous monitoring, and proactive threat intelligence to defend against the increasing, multifaceted cyber threat landscape affecting essential services worldwide.

Possible Actions

Prompt Response

Immediate action is crucial when cybersecurity threats, like those revealed by Forescout involving TwoNet hacktivists targeting a water utility honeypot, are detected; swift remediation prevents further damage, preserves critical infrastructure, and minimizes operational disruption.

Mitigation Steps:

• Network Segmentation: Isolate critical systems from general networks to contain threats.
• Patch Management: Regularly update and patch all systems to close security gaps.
• Intrusion Detection: Deploy advanced monitoring tools to identify suspicious activity early.
• Access Controls: Enforce strict user authentication and limit administrative privileges.
• Threat Hunting: Conduct proactive searches for indicators of compromise to catch threats quickly.
• Incident Response Plan: Prepare and rehearse procedures to respond effectively when breaches occur.
• Vendor Collaboration: Work with suppliers and cybersecurity experts for advice and support.
• Employee Training: Educate staff on cybersecurity best practices and recognizing threats.
• Vulnerability Assessments: Regularly evaluate systems to identify and address weaknesses.
• Backup and Recovery: Maintain secure backups to restore systems swiftly if compromised.

Explore More Security Insights

Stay informed on the latest Threat Intelligence and Cyberattacks.

Learn more about global cybersecurity standards through the NIST Cybersecurity Framework.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1