In the shadowy world of cybersecurity, where digital skirmishes can spill into the real world, a recent incident serves as a stark reminder of how quickly threats from hacktivists critical infrastructure evolve. Imagine a water treatment plant humming along, its controls quietly managing flows and chemicals—until a hacker slips in, disables alarms, and slaps a taunting pop-up on the screen: “Hacked by Barlati.” Sounds like a scene from a thriller? It nearly was, except this “plant” was a clever decoy, designed to lure attackers into revealing their playbook. But the real story here isn’t the bait; it’s the baiters—pro-Russian hacktivists who, in under 26 hours, went from knocking on the door to trashing the living room. This event, uncovered by Forescout researchers, spotlights two intertwined dangers: the urgent need to fortify critical infrastructure against fast-moving cyber foes like hacktivists critical infrastructure threats, and the blurring lines between hacktivists and nation-state actors who pull the strings from afar.
The Attack Unpacked: From Default Passwords to Digital Defacement
Let’s rewind to September 2025. At 8:22 AM, the pro-Russian group TwoNet—known for their opportunistic cyber antics—gained a foothold in what they thought was a legitimate water treatment facility’s human-machine interface (HMI). How? The oldest trick in the book: default credentials. No fancy zero-days, just lazy security letting opportunists waltz right in.
From there, it escalated swiftly. The attackers fired off SQL queries to map the databases, nailing it on their second try. They spun up a new admin account (“Barlati,” naturally), then exploited a dusty stored cross-site scripting (XSS) flaw—CVE-2021-26829, a vulnerability from four years prior—to flash their victory message across the HMI. But they didn’t stop at graffiti. Within 26 hours, they’d yanked programmable logic controllers (PLCs) from data feeds, tweaked setpoints to gum up operations, and silenced logs and alarms. By 11:19 AM the next day, they logged off, smugly announcing their “win” on Telegram.
The twist? This was all a honeypot—a simulated setup by Forescout to study real-world threats to operational technology (OT) and industrial control systems (ICS) from hacktivists critical infrastructure. No water was poisoned, no processes halted. But the insights? Priceless. TwoNet, oblivious to the ruse, stuck to the web layer of the HMI, skipping deeper exploits like privilege escalation. As Forescout noted, “The attacker did not attempt privilege escalation or exploitation of the underlying host, focusing exclusively on the web application layer of the HMI.” It’s a snapshot of amateur hour with pro-level disruption potential from hacktivists critical infrastructure attacks.
The Rise of Hacktivists Critical Infrastructure: From DDoS Disruptors to ICS Intruders
TwoNet isn’t some basement-dwelling lone wolf; they’re part of a hacktivist wave that’s maturing at an alarming rate. Formed less than a year ago, the group started with run-of-the-mill DDoS barrages against Ukraine supporters. Now? They’re doxxing intelligence officers, hawking ransomware-as-a-service (RaaS), and peddling initial access to Polish SCADA systems on the dark web. Their Telegram boasts of hitting “enemy countries'” critical infrastructure, from power grids to water plants.
This pivot isn’t isolated. Forescout researchers observed, “This pattern mirrors other groups that have shifted from ‘traditional’ DDoS/defacement into OT/ICS operations.” Pro-Russian crews like NoName057(16) and KillNet have followed suit, evolving from script-kiddie pranks to targeted disruptions that could cascade into blackouts or contaminated supplies. Why now? Geopolitical tensions, cheap tools, and the thrill of real-world impact. Hacktivists thrive on virality—that pop-up wasn’t just sabotage; it was propaganda.
But here’s where it gets murky: the “rise of nation-state actors.” Hacktivists like TwoNet often operate in gray zones, fueled by ideology but amplified by state sponsors. Russia’s hybrid warfare playbook—seen in the 2022 Oldsmar water hack attempt or the 2015 Ukraine power grid takedown by Sandworm—relies on deniable assets like these groups. They provide plausible deniability: “Not us, just angry patriots!” Yet, shared tactics (e.g., SQL enumeration, HMI tweaks) echo state-backed ops, suggesting training, funding, or even direct tasking. As conflicts simmer from Ukraine to the Middle East, expect more “independent” hackers to conveniently align with Kremlin or other state agendas, blurring the line between activism and aggression in hacktivists critical infrastructure scenarios.
Securing the Lifelines: Lessons from the Decoy
Critical infrastructure—power, water, transport—isn’t just vital; it’s vulnerable by design. Legacy OT systems prioritize uptime over patches, exposing them to exploits like CVE-2021-26829 that should have been retired years ago. This honeypot hack screams for action. Here’s a roadmap to harden your defenses, drawn straight from Forescout’s playbook and broader best practices:
| Threat Vector | Risk Exposed | Mitigation Strategy |
| Weak Authentication | Default creds as entry point | Enforce multi-factor authentication (MFA) and rotate credentials regularly. Ban defaults outright—tools like Active Directory can automate this. |
| Exposed Web Interfaces | HMI/SQL access from the open web | Segment OT networks with air-gaps or VLANs. Use IP whitelisting and zero-trust access; never expose HMIs publicly. |
| Unpatched Vulnerabilities | Old XSS flaws enabling defacement | Prioritize OT patching with staged rollouts to avoid downtime. Scan for CVEs using tools like Nessus tailored for ICS. |
| Lack of Visibility | Silent disruptions (disabled logs/alarms) | Deploy protocol-aware monitoring (e.g., Forescout’s solutions) to detect anomalous SQL queries or setpoint changes in real-time. Integrate SIEM for OT logs. |
| Insider/Opportunistic Threats | Rapid escalation to sabotage | Conduct regular red-team exercises mimicking hacktivists. Train staff on phishing and anomaly spotting; simulate honeypots internally for early warnings. |
Beyond tech fixes, foster a culture of paranoia—er, vigilance. Collaborate via frameworks like CISA’s Shields Up or EU’s NIS2 Directive, sharing threat intel on groups like TwoNet. And remember: in nation-state games, speed is the enemy. Automate responses to shave hours off detection times.
The Bigger Picture: A Call to Action in an Uncertain World
This decoy takedown is a win for researchers, but a wake-up for the rest of us. Hacktivists are graduating to infrastructure warfare, often as proxies for nation-states testing waters or sowing chaos. As TwoNet’s antics show, the barrier to entry is low, the impact high. For operators of critical systems, ignoring this is like leaving your front door unlocked in a storm.
The silver lining? Incidents like this demystify attackers, letting us stay one step ahead. If you’re in OT/ICS, audit your HMIs today. Share this post if it sparked a lightbulb—because in cybersecurity, awareness is the best honeypot.
Click here to read more blog articles!