Russian Hacktivist Group vs. a Decoy Water Plant

Overview

#

A Russian-linked hacktivist group called TwoNet attacked what they believed to be a water plant, but was actually a realistic honeypot system created by Forescout Research. The attackers gained initial access via an IP address from a German hosting provider and logged in to an HMI using default credentials (admin/admin). After initial access, they attempted to enumerate a SQL database directly through the HMI web interface. The attackers’ initial queries didn’t work, but after a second set of queries, they were able to extract information about the database’s schema.

SQL Enumeration Activity

#

The queries that worked:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

SELECT t.TABLENAME, c.COLUMNNAME, c.COLUMNNUMBER, c.COLUMNDATATYPE, c.COLUMNDEFAULT, c.AUTOINCREMENTVALUE, c.AUTOINCREMENTSTART, c.AUTOINCREMENTINC

FROM sys.systables t

JOIN sys.syscolumns c ON t.TABLEID = c.REFERENCEID

WHERE t.tabletype = 'T'

ORDER BY t.TABLENAME, c.COLUMNNUMBER

SELECT t.TABLENAME, con.CONSTRAINTNAME, con.TYPE
FROM sys.systables t
JOIN sys.sysconstraints con ON t.TABLEID = con.TABLEID
ORDER BY t.TABLENAME

After analyzing the queries the attackers used, I determined they were enumerating Apache Derby. We can tell this from the trio of “AUTOINCREMENT” parts of the first query mentioned in this blog post.

Web Defacement and XSS Exploitation

#

The attackers next created an account called “BARLATI” and then defaced the HMI login page description with “[<]script>alert(“HACKED BY BARLATI, FUCK”).” They did this by exploiting a vulnerability in OpenPLC ScadaBR, which allows remote attackers to execute Stored XSS via the system_settings.shtm page. The expletive message would appear through a pop-up alert whenever the page was visited. The attackers then deleted PLC connections as data sources, disabled real-time updates, and modified system settings to disable logs and alarms. The attackers did not attempt privilege escalation or exploitation of the underlying host, focusing exclusively on the web application layer of the HMI.

Broader Context and Defensive Measures

#

Forescure Research has tracked a rise in hacktivist activity targeting critical infrastructure since 2022. Forescure recommends eliminating weak authentication and internet exposure by removing default credentials, enforcing strong passwords or MFA, and keeping OT/ICS and IoT devices off the public internet. Rigorously segment networks, harden and restrict administrative interfaces behind VPNs or ACLs, require authentication everywhere, and monitor traffic with protocol-aware detection to catch exploitation or misuse.

Takeaway: Honeypots remain one of the best tools for understanding OT threats safely.

References

#

• BleepingComputer — Hacktivists Target Critical Infrastructure, Hit Decoy Plant
• Forescout Research — Anatomy of a Hacktivist Attack: Russian-Aligned Group Targets OT/ICS
• NIST NVD — CVE-2021-26829: OpenPLC ScadaBR Stored XSS Vulnerability