Pro-Russian Hacktivist Group TwoNet Exposed for Fabricating Critical Infrastructure Attacks to Boost Reputation
Ddos 
Forescout Research has uncovered a disturbing new tactic among pro-Russian hacktivists β fabricating real-world critical infrastructure attacks to inflate their reputation. In a recent case, a newly formed group named TwoNet targeted a Forescout βwater treatment utilityβ honeypot, then falsely claimed responsibility for an actual operational incident on its Telegram channel.
According to Forescout, βwe observed something even more significant: an emerging pro-Russian hacktivist group targeted our βwater treatment utilityβ honeypot and then falsely claimed responsibility for a real-world attack on their Telegram channel.β
TwoNetβs activity began in September 2025, shortly after the group launched its Telegram channel. Forescoutβs telemetry shows that the intrusion started from a German hosting provider (AS58212) and involved logging into an HMI (Human-Machine Interface) with default credentials (admin/admin). The attackers then issued a series of SQL queries to enumerate databases before performing disruptive actions.
During the compromise, the attacker created a new user named βBARLATIβ and carried out four main actions:
- Defacement: Exploited CVE-2021-26829 to alter the HMI login page to display the message:
alert(“HACKED BY BARLATI, FU CK”) - Process Disruption: Deleted connected PLCs (Programmable Logic Controllers), effectively disabling real-time updates.
- Manipulation: Changed PLC setpoints via the web interface.
- Evasion: Disabled system logs and alarms to obscure activity.
Forescout confirmed that βthe attacker did not attempt privilege escalation or exploitation of the underlying host, focusing exclusively on the web application layer of the HMI.β
Intelligence from Intel471 and Forescout indicates that TwoNet first appeared in January 2025, initially launching distributed denial-of-service (DDoS) operations using MegaMedusa Machine malware. Since then, the groupβs Telegram presence has shifted toward industrial control system (ICS) and operational technology (OT) targets.
Forescout describes TwoNet as βa recent entrant to the pro-Russian hacktivist ecosystemβ that has expanded from web-based defacements into OT/ICS environments, including HMI and SCADA systems used in utilities and renewable energy facilities.
The groupβs online claims include supposed compromises of solar plant control panels, HVAC systems, and hydroelectric facilities across Europe β though many of these have not been verified. Forescout notes that these boasts are part of a broader disinformation and intimidation campaign: βMessages on this channel indicate a pivot from pure DDoS to a broader mix of activity: OT/ICS targeting, doxing, and signal-boosting other hacktivist brands.β
TwoNetβs Telegram posts often forward content from affiliated groups like CyberTroops and OverFlame, forming part of a larger propaganda ecosystem. These alliances β sometimes referred to as the Z-PENTEST network β have claimed attacks ranging from solar farms in Germany and Italy to hydroelectric plants in France, often without proof of operational impact.
By late September, TwoNet abruptly announced its closure on affiliated Telegram channels, with all known handles, including βBARLATIβ and βDarkWariosβ, disappearing. Forescout observed that βthis underscores the ephemeral nature of the ecosystem where channels and groups are short-lived, while operators typically persist by rebranding or joining other groups.β
Forescoutβs honeypot network continues to detect frequent OT intrusion attempts beyond TwoNet. The report highlights incidents originating from Russia, Iran, and Western Europe, using public exploits such as CVE-2021-26828 (ScadaBR RCE) and Metasploit Modbus modules.
For example, Forescout recorded attacks from Iranian IPs running Modbus and S7comm scans, attempting to read and write PLC coil values and even issuing STOP commands to simulated controllers. The researchers noted that βthese patterns are representative of targeted actions we frequently observe β and are plausible against any internet-exposed utility-owned OT/ICS.β
Forescout warns that hacktivist groups are now expanding their focus from website defacements and DDoS attacks to direct interference with physical systems, marking a dangerous escalation in cyber-physical risk.
Related Posts:
- ViciousTrap: New Cyber-Espionage Group Hijacks Routers for Honeypot Surveillance
- Vulnerabilities in Solar Power Systems Threaten Power Grids
- Unmasking Sandworm: Forescout’s Analysis of Danish and Ukrainian Energy Cyberattacks
- CVE-2024-38063 (CVSS 9.8): Windows RCE Vulnerability Found in Pepperl+Fuchs HMI Devices
- Pro-Russian Hacktivists Escalate 2025 Cyber Offensive: Targeting Western Critical Infrastructure & ICS
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
