Pro-Russian Hacktivist Targets OT/ICS Systems to Harvest Credentials

In September, a nascent pro-Russian hacktivist group known as TwoNet staged its first operational technology and industrial control systems (OT/ICS) intrusion against our water treatment utility honeypot.

By exploiting default credentials and SQL-based schema extraction, the adversary ultimately created backdoor accounts and defaced the human-machine interface (HMI), demonstrating a concerning pivot from pure DDoS to targeted utility attacks.

This incident underscores the growing imperative for critical infrastructure organizations—especially utilities—to deploy high-fidelity deception technologies and vigilant monitoring of hacktivist channels for accurate threat intelligence.

The attack commenced at 08:22 AM UTC on a September day, originating from IP 45.157.234[.]199 registered to AS58212 (dataforest GmbH).

Initial access was gained via default HMI credentials (admin/admin). Through the HMI’s sql.shtm interface, the attacker launched two rounds of SQL reconnaissance. The first queries, attempting to enumerate primary keys, failed; the second queries ...