Hacktivist Group TwoNet Exposed: Fabricated Water Utility Attack After Breaching OT Honeypot with Default Credentials

by ddos · October 13, 2025

Forescout specialists recorded a targeted intrusion in September against a honeypot simulating the control system of a water-treatment facility. A newly emerged hacktivist collective calling itself TwoNet claimed responsibility; the group operates within an ecosystem increasingly associated with attacks on industrial infrastructure. Its members accessed the operator interface, altered configurations, removed data sources, and disrupted portions of the process flow—without attempting to seize full host control. The apparent objective was to demonstrate the feasibility of interference and to amplify a claim of a “real-world compromise” via a Telegram channel.

The intrusion originated in the morning from an IP address registered to the German hosting provider dataforest GmbH. Attackers gained access using the default credentials admin/admin. After logging in, they executed SQL probes to enumerate the database schema, then created a new account named BARLATI. Several hours later they returned under that account and replaced the login page text, triggering a popup that read “HACKED BY BARLATI.” Concurrently, they removed attached controllers, modified parameter values, and disabled logging and alerting. The login-page tampering exploited vulnerability CVE-2021-26829.

TwoNet surfaced in early 2025 and quickly drew attention through a blend of belligerent rhetoric and erratic activity. Initially focused on DDoS operations, the group has since shifted toward attempted meddling in process-control systems. Its Telegram channel features screenshots and videos purportedly taken from SCADA and HMI interfaces of various enterprises. Posts boast of “hacks” against solar arrays, heating systems, and biomass boilers across European countries, yet independent corroboration is lacking; analysts note many images appear to be lifted from public demo dashboards.

The group’s affiliated personas, including BARLATI and DarkWarios, have marketed commercial services—rental access to control panels, DDoS-for-hire, and even an overpriced ransomware package—suggesting a bid to monetize attention and feign a larger coalition. In the weeks before several channels were shuttered, members announced alliances with other hacktivist teams such as CyberTroops and OverFlame, enabling mutual promotion and the illusion of an expansive network.

Forescout’s honeypots also logged other assaults against industrial controllers and Modbus protocols, often originating from European and Middle Eastern addresses. In one incident, attackers relied on default credentials and subsequently exploited CVE-2021-26828 to deploy a web shell and manipulate HMI settings. In another episode, coordinated attempts to alter PLC parameters via Modbus and S7 were observed—actions that, in a live environment, might have halted physical processes.

Analysis reveals the adversaries rely on common tools—Metasploit and off-the-shelf scripts—and that their operations reflect hands-on control and rudimentary familiarity with industrial protocols. Many of these intrusions occur without prior reconnaissance and target internet-exposed devices that lack adequate safeguards.

Forescout warns that the trend of hacktivist collectives turning toward industrial targets is intensifying. Even where claimed intrusions remain unverified, they signal the groups’ interests and the risk that such tactics will be replicated against actual facilities. Water utilities and energy providers are especially vulnerable: operator interfaces and controllers are frequently reachable without robust authentication, while logging and monitoring are applied inconsistently.

Experts advise system owners to eliminate weak authentication and default passwords; avoid exposing control interfaces directly to the internet; enforce stringent IT/OT network segmentation; restrict administrative-port access by IP allowlists; and deploy monitoring capable of deep packet inspection to track Modbus and S7 commands. Attention to outbound traffic is equally crucial to prevent devices from being co-opted into distributed attacks.

Forescout’s observations suggest hacktivism has become a theatre of cyber prestige where notoriety often outweighs tangible impact. Groups vanish, rebrand, and reemerge, yet their personnel and techniques persist. For that reason, analysis of honeypots remains an essential means of understanding the vectors and trajectories of emerging waves of attacks against industrial infrastructure.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal