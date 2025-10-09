The pro-Russian hacktivist group TwoNet targeted a water treatment facility "honeypot" and then falsely claimed it was a real critical infrastructure attack on its Telegram channel.

The Forescout researchers also discovered additional attacks targeting programmable logic controllers (PLCs) and the Modbus protocol linked to Russia and Iran.

“Since 2022, we’ve tracked the rise of hacktivist attacks against critical infrastructure,” wrote the researchers. “This is the first time a group has publicly claimed an attack that we can confirm occurred on one of our honeypots.”

Frankie Sclafani, director of cybersecurity enablement at Deepwatch, pointed out that TwoNet’s shift from a DDoS-as-a-service provider to targeting critical infrastructure operational technology (OT) marks an escalation in their activity.

Sclafani said demonstrating their capability, the hackers achieved disruptive action in a mere 26 hours, disabling real-time process updates and, taking a cue from the Stuxnet hackers, dangerously altering PLC setpoints.

“This pivot to seeking physical-world consequences at water and power plants confirms that Russian hacktivism has evolved into a formidable asymmetric warfare capability,” said Sclafani. “While it may be impossible to determine whether TwoNet is operating under the direction or control of the Kremlin, their bold actions and claimed responsibility for the attack demonstrates their intention to establish a reputation as a formidable threat.”