TwoNet Hacktivists Target Decoy Water Plant in Bold Critical Infrastructure Attack
Executive Summary
In September 2025, the pro-Russian hacktivist group TwoNet targeted what they believed to be a vulnerable water treatment plant, unaware it was a decoy system (honeypot) operated by cybersecurity researchers. The attackers gained access using default credentials, escalated attacks through SQL enumeration, and exploited a known XSS vulnerability (CVE-2021-26829). Within 26 hours, they created new user accounts, manipulated PLC setpoints, disabled real-time updates, and attempted to disrupt both logs and alarms via the Human Machine Interface (HMI). Their tactics included data exfiltration and process disruption, signaling a shift toward operational technology (OT) attacks targeting critical infrastructure.
This incident highlights a growing trend of hacktivist groups evolving from DDoS and defacement attacks to more sophisticated operations against OT and ICS targets. The rapid escalation and attempted sabotage observed in this breach emphasize the urgent need for robust segmentation, authentication, and real-time anomaly detection within critical infrastructure environments.
Why This Matters Now
Critical infrastructure organizations are increasingly targeted by hacktivist groups employing advanced tactics beyond traditional DDoS. The TwoNet case demonstrates how quickly attackers can pivot to disrupting industrial environments, signaling an urgent need to remedy legacy vulnerabilities, enforce network segmentation, and protect operational technology assets now.
Attack Path Analysis
The attack began with the adversary using default credentials to gain access to a publicly exposed water treatment HMI interface. No evidence of privilege escalation was found, as the attacker operated fully within the web application's allowed permissions. The attacker’s actions focused within the compromised HMI/web service and did not pivot to other hosts or layers. Communication with external infrastructure was implicit, given the need for attacker interaction with the decoy system. Data exfiltration was not observed but disruption of HMI processes was performed, including disabling alarms and manipulating PLC setpoints. The impact stage involved disabling real-time plant operations, erasing logs and alarms, and signaling their presence to operators.
Kill Chain Progression
Initial Compromise
Description
Attacker gained access by authenticating with default credentials on a publicly exposed HMI web application.
Related CVEs
CVE-2021-26829
CVSS 5.4A stored cross-site scripting (XSS) vulnerability in OpenPLC ScadaBR allows authenticated attackers to inject arbitrary JavaScript into the web interface, potentially leading to defacement, disruption, or further compromise of industrial control systems.
Affected Products:
OpenPLC Project ScadaBR – <= 1.12.4 (Windows), <= 0.9.1 (Linux)
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Valid Accounts
Brute Force
Create Account
Exploit Public-Facing Application
Endpoint Denial of Service
Boot or Logon Autostart Execution
Impair Defenses
Alarm Suppression
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for System Components
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Risk Assessment
Control ID: 500.15
NIS2 Directive – Cybersecurity Risk Management and Reporting
Control ID: Article 21
DORA (Digital Operational Resilience Act) – Protection and Prevention
Control ID: Article 9
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Enforce Strong, Contextual Authentication Controls
Control ID: Identity - Authentication
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Utilities
Direct target of hacktivist attacks on water treatment facilities; requires enhanced SCADA/HMI security, network segmentation, and protocol-aware detection capabilities.
Oil/Energy/Solar/Greentech
Critical infrastructure vulnerability to pro-Russian hacktivists targeting HMI systems; needs strengthened authentication, egress filtering, and east-west traffic monitoring.
Government Administration
Intelligence personnel doxxing and critical infrastructure protection responsibilities require zero trust segmentation, threat detection, and secure hybrid connectivity solutions.
Computer/Network Security
Cybersecurity providers must address evolving hacktivist TTPs targeting industrial systems through enhanced IPS capabilities and multicloud visibility solutions.
Sources
- Hacktivists target critical infrastructure, hit decoy planthttps://www.bleepingcomputer.com/news/security/hacktivists-target-critical-infrastructure-hit-decoy-plant/Verified
- CISA Adds Actively Exploited XSS Bug CVE-2021-26829 in OpenPLC ScadaBR to KEVhttps://thehackernews.com/2025/11/cisa-adds-actively-exploited-xss-bug.htmlVerified
- Pro-Russian hackers tricked into attacking decoy targethttps://www.techradar.com/pro/security/pro-russian-hackers-tricked-into-attacking-decoy-targetVerified
- CISA Issues Urgent Alert on ScadaBR CVE-2021-26829 Vulnerability Exploited by Hacktivists in ICS Attackhttps://www.rescana.com/post/cisa-issues-urgent-alert-on-scadabr-cve-2021-26829-vulnerability-exploited-by-hacktivists-in-ics-attVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
CNSF Zero Trust controls—such as network segmentation, policy-based access, anomaly detection, and egress filtering—would have reduced the attack surface, prevented unauthorized access, and detected disruptive actions across the kill chain. Inline traffic inspection and identity-based policies could block or alert on malicious activity, limiting opportunities for both access and impact.
Control: Zero Trust Segmentation
Mitigation: Prevents unauthorized access to critical HMI applications from unknown networks.
Control: Threat Detection & Anomaly Response
Mitigation: Detects anomalous account creation and suspicious privilege changes.
Control: East-West Traffic Security
Mitigation: Blocks or monitors unauthorized workload-to-workload and inter-service communications.
Control: Cloud Firewall (ACF)
Mitigation: Detects and blocks suspicious inbound/outbound web access to critical service endpoints.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents unauthorized exfiltration to external destinations.
Detects abnormal operations and alerts on critical unauthorized changes to industrial controls.
Impact at a Glance
Affected Business Functions
- Water Treatment Operations
- System Monitoring
- Alarm Management
Estimated downtime: N/A
Estimated loss: N/A
No sensitive data exposure occurred as the attack targeted a decoy system designed for research purposes.
Recommended Actions
Key Takeaways & Next Steps
- • Eliminate public exposure of HMI, SCADA, and OT interfaces using Zero Trust Segmentation.
- • Enforce strong, unique credentials and monitor for account creation or misuse through anomaly detection.
- • Apply east-west microsegmentation to limit intra-network movement and strictly control service communications.
- • Deploy centralized cloud firewalls and enforce egress filtering to prevent unapproved remote access and data exfiltration.
- • Continuously monitor for PLC/HMI anomalies, unusual setpoint changes, and generate rapid alerts to contain destructive actions.
