A pro-Russian hacktivist group known as TwoNet successfully breached a realistic honeypot water-treatment environment in September, moving from initial access to disruptive actions in roughly 26 hours, security researchers said. The incident, observed and recorded by industrial-security specialists, illustrates the group’s rapid escalation from distributed denial-of-service operations to hands-on targeting of operational technology interfaces.
Forescout, which operated the decoy environment to monitor attacker techniques, logged the first unauthorized activity at 08:22 local time on the day of the intrusion. Researchers say the intruder authenticated using default or weak credentials, created a new account named Barlati, and exploited a known cross-site scripting flaw tracked as CVE-2021-26829 to interact with the human-machine interface.
“The attacker did not attempt privilege escalation or exploitation of the underlying host, focusing exclusively on the web application layer of the HMI.”
The initial exploitation triggered an on-screen pop-up that displayed the message “Hacked by Barlati,” a low-sophistication demonstration that immediately signaled intrusion. Over the next day the actor progressed to operational interference: disabling real-time updates by removing connected programmable logic controllers from the data-source list, and modifying PLC setpoints through the HMI, actions that would have disrupted monitoring and could have impacted process safety in a live environment.
Timeline and Observed Actions in the Decoy Environment
Forescout’s recorded timeline shows rapid attacker progression after discovery of weak access controls. At 08:22 the adversary gained a foothold and created the Barlati user. The actor then leveraged the XSS vulnerability to force an HMI alert and to perform further web-layer interactions. The researchers observed modifications to PLC configuration displayed in the HMI and the intentional removal of PLCs from the HMI’s data sources, effectively severing real-time telemetry.
Researchers noted that the actor deliberately disabled logging and alarm channels within the HMI, hindering real-time detection and response. The intruder’s final recorded session occurred the following day at 11:19 AM, after which no further logins were observed in the monitored honeypot.
Forescout characterized the operational pattern as narrowly focused on the HMI web application, rather than an attempt to gain deeper host or network privileges. That distinction informed the researchers’ analysis of attacker intent and capability: by exploiting application-layer weaknesses, the adversary effected potentially disruptive changes without engaging in more technically complex host compromise.
TwoNet’s Evolution From DDoS to Hands-On Targeting of Industrial Interfaces
TwoNet first gained attention for distributed denial-of-service campaigns aimed at organizations perceived as supporting Ukraine. In less than a year the group has expanded its tactics to include probing and attacking industrial control interfaces. Monitoring of the group’s public channels revealed boasts of attempts to access HMI and SCADA dashboards for critical infrastructure in what the actors described as operations against “enemy countries.”
Researchers caution that the group’s shift reflects a broader trend among hacktivist and low-sophistication threat actors: when accessible, poorly secured industrial web applications present an attractive and low-effort vector for causing disruption or creating demonstrable impact. The Forescout team emphasized that even limited web-layer access can permit attackers to alter setpoints, suppress alarms and obscure evidence of manipulation—actions with clear operational consequences.
Technical Findings and Vulnerability Details
The exploitation involved CVE-2021-26829, an aged stored cross-site scripting vulnerability that remains exploitable in unpatched or poorly configured HMI web front ends. Attackers used the XSS issue to trigger UI elements and to manipulate HMI functionality observable to operators. Researchers highlighted that the actor did not pursue privilege escalation on hosts or attempt to chain additional vulnerabilities; instead, they leveraged the application’s normal controls to effect changes.
Forescout’s observations underscore common weaknesses in operational environments: default credentials, lack of web-application hardening, insufficient segmentation between IT and OT web interfaces, and weak monitoring that fails to correlate operator-level changes with backend logs. The researchers pointed to the speed of the attack—about 26 hours from access to disruption—as evidence that hands-on-keyboard operations against exposed HMIs can cause rapid and tangible harm.
Recommendations and Implications for Critical Infrastructure Operators
Security specialists responding to the incident urged organizations that operate HMI and SCADA systems to prioritize basic hygiene and defensive measures: enforce strong, nondefault credentials; apply vendor patches addressing known CVEs; remove or restrict web interfaces from public or lightly vetted networks; enforce two-factor authentication for administration; and maintain robust logging that feeds into centralized detection systems.
Experts also recommended layering defenses with strict segmentation between enterprise IT and control networks, network-level access controls that whitelist management hosts, and routine validation of HMI configuration and setpoint integrity. Regular simulation and tabletop exercises that include scenarios where alarms and telemetry are suppressed are also advised to ensure operational staff can detect and respond to deceptive manipulations.
The TwoNet incident demonstrates the attractiveness of industrial web applications to opportunistic actors and the limited technical investment required to create operational effects when environments are insufficiently protected. Forescout’s use of a decoy environment provided a controlled view of the adversary’s tactics and timeline, but the researchers warned that real facilities with exposed HMIs could face immediate and harder-to-recover consequences.
Authorities and critical-infrastructure operators are being urged to review external exposure of HMI/SCADA interfaces and to report suspicious access patterns promptly. The Forescout team continues to monitor TwoNet’s public activity and is sharing technical indicators with sector partners and relevant incident-response communities to support broader detection and mitigation efforts.
