A newly identified pro-Russian hacktivist group has successfully infiltrated operational technology and industrial control systems belonging to critical infrastructure organizations, employing sophisticated techniques to steal login credentials and disrupt vital services.
The threat actor, known as TwoNet, represents an emerging class of hacktivists who have expanded beyond traditional distributed denial-of-service attacks to target human-machine interfaces and programmable logic controllers in water treatment facilities, solar installations, and other industrial environments.
The group’s attack methodology demonstrates a concerning evolution in hacktivist capabilities, moving from simple website defacements to complex manipulation of industrial processes.
TwoNet’s operations have been observed across multiple European countries, with particular focus on utilities and energy infrastructure in nations they consider adversarial.
Their activities include database enumeration, system defacement, process disruption, and credential harvesting from internet-exposed OT/ICS devices.
Forescout analysts identified the malware and attack patterns through sophisticated honeypot operations designed to attract and monitor threat actors targeting critical infrastructure.
The research team’s water treatment facility honeypot successfully captured TwoNet’s intrusion methodology, providing unprecedented visibility into the group’s tactics, techniques, and procedures.
This intelligence gathering effort revealed not only the specific attack vectors employed but also the broader ecosystem of affiliated hacktivist groups operating in coordination.
.webp "Pro-Russian Hacktivist Attacking OT/ICS Devices to Steal Login Credentials 3")
The attackers demonstrated particular expertise in exploiting default authentication mechanisms, utilizing SQL injection techniques, and leveraging known vulnerabilities in human-machine interface systems.
Their operations span multiple industrial protocols including Modbus and S7 communications, indicating sophisticated knowledge of operational technology environments.
The group’s ability to maintain persistence across multiple login sessions and systematically alter critical system configurations represents a significant escalation in hacktivist threat capabilities.
Advanced Database Exploitation and System Manipulation Techniques
The intrusion methodology employed by TwoNet reveals sophisticated database enumeration capabilities that extend far beyond typical hacktivist operations.
The attackers initiated their assault by logging into the human-machine interface using default credentials (admin/admin), immediately proceeding to execute complex SQL queries designed to extract comprehensive schema information from the target system.
The group’s initial database reconnaissance involved executing sophisticated queries through the sql.shtm page, beginning with failed attempts using primary key enumeration commands.
When these initial queries failed, the attackers demonstrated remarkable persistence by modifying their approach and successfully extracting detailed table structures using alternative SQL syntax:-
SELECT t.TABLENAME, c.COLUMNNAME, c.COLUMNNUMBER, c.COLUMNDATATYPE,
c.COLUMNDEFAULT, c.AUTOINCREMENTVALUE, c.AUTOINCREMENTSTART,
c.AUTOINCREMENTINC
FROM sys.systables t
JOIN sys.syscolumns c ON t.TABLEID = c.REFERENCEID
WHERE t.tabletype="T"
ORDER BY t.TABLENAME, c.COLUMNNUMBERFollowing successful database enumeration, the attackers created a new user account named “BARLATI” and maintained access across multiple sessions spanning nearly 24 hours.
Their systematic approach included exploiting CVE-2021-26829 to inject malicious JavaScript code into the HMI login page, creating persistent defacement that would trigger alerts whenever administrators accessed the system.
The attackers also demonstrated advanced operational security by modifying system settings to disable logging and alarm mechanisms, effectively blinding security monitoring systems to their ongoing activities.
The sophistication of these database manipulation techniques, combined with the group’s ability to maintain operational security while conducting multi-stage attacks, indicates access to advanced tooling and significant operational experience that extends beyond typical hacktivist capabilities.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
