Pro-Russian Hacktivist Group TwoNet Exposed for Fabricating Critical Infrastructure Attacks to Boost Reputation

Forescout Research has uncovered a disturbing new tactic among pro-Russian hacktivists — fabricating real-world critical infrastructure attacks to inflate their reputation. In a recent case, a newly formed group named TwoNet targeted a Forescout “water treatment utility” honeypot, then falsely claimed responsibility for an actual operational incident on its Telegram channel.

According to Forescout, “we observed something even more significant: an emerging pro-Russian hacktivist group targeted our ‘water treatment utility’ honeypot and then falsely claimed responsibility for a real-world attack on their Telegram channel.”

TwoNet’s activity began in September 2025, shortly after the group launched its Telegram channel. Forescout’s telemetry shows that the intrusion started from a German hosting provider (AS58212) and involved logging into an HMI (Human-Machine Interface) with default credentials (admin/admin). The attackers then issued a series of SQL queries to enumerate databases before performing disruptive actions.

During the compromise, the attacker created a new user named “BARLATI” and carried out four main actions:

• Defacement: Exploited CVE-2021-26829 to alter the HMI login page to display the message:
  alert(“HACKED BY BARLATI, FU CK”)
• Process Disruption: Deleted connected PLCs (Programmable Logic Controllers), effectively disabling real-time updates.
• Manipulation: Changed PLC setpoints via the web interface.
• Evasion: Disabled system logs and alarms to obscure activity.

Forescout confirmed that “the attacker did not attempt privilege escalation or exploitation of the underlying host, focusing exclusively on the web application layer of the HMI.”

Intelligence from Intel471 and Forescout indicates that TwoNet first appeared in January 2025, initially launching distributed denial-of-service (DDoS) operations using MegaMedusa Machine malware. Since then, the group’s Telegram presence has shifted toward industrial control system (ICS) and operational technology (OT) targets.

Forescout describes TwoNet as “a recent entrant to the pro-Russian hacktivist ecosystem” that has expanded from web-based defacements into OT/ICS environments, including HMI and SCADA systems used in utilities and renewable energy facilities.

The group’s online claims include supposed compromises of solar plant control panels, HVAC systems, and hydroelectric facilities across Europe — though many of these have not been verified. Forescout notes that these boasts are part of a broader disinformation and intimidation campaign: “Messages on this channel indicate a pivot from pure DDoS to a broader mix of activity: OT/ICS targeting, doxing, and signal-boosting other hacktivist brands.”

TwoNet’s Telegram posts often forward content from affiliated groups like CyberTroops and OverFlame, forming part of a larger propaganda ecosystem. These alliances — sometimes referred to as the Z-PENTEST network — have claimed attacks ranging from solar farms in Germany and Italy to hydroelectric plants in France, often without proof of operational impact.

By late September, TwoNet abruptly announced its closure on affiliated Telegram channels, with all known handles, including “BARLATI” and “DarkWarios”, disappearing. Forescout observed that “this underscores the ephemeral nature of the ecosystem where channels and groups are short-lived, while operators typically persist by rebranding or joining other groups.”

Forescout’s honeypot network continues to detect frequent OT intrusion attempts beyond TwoNet. The report highlights incidents originating from Russia, Iran, and Western Europe, using public exploits such as CVE-2021-26828 (ScadaBR RCE) and Metasploit Modbus modules.

For example, Forescout recorded attacks from Iranian IPs running Modbus and S7comm scans, attempting to read and write PLC coil values and even issuing STOP commands to simulated controllers. The researchers noted that “these patterns are representative of targeted actions we frequently observe – and are plausible against any internet-exposed utility-owned OT/ICS.”

Forescout warns that hacktivist groups are now expanding their focus from website defacements and DDoS attacks to direct interference with physical systems, marking a dangerous escalation in cyber-physical risk.

Related Posts:

• ViciousTrap: New Cyber-Espionage Group Hijacks Routers for Honeypot Surveillance
• Vulnerabilities in Solar Power Systems Threaten Power Grids
• Unmasking Sandworm: Forescout’s Analysis of Danish and Ukrainian Energy Cyberattacks
• CVE-2024-38063 (CVSS 9.8): Windows RCE Vulnerability Found in Pepperl+Fuchs HMI Devices
• Pro-Russian Hacktivists Escalate 2025 Cyber Offensive: Targeting Western Critical Infrastructure & ICS