14.10.2025
2 min
474
The pro-Russian hacker group TwoNet reported a “successful attack” on a water treatment facility, but the actual target they breached was a honeypot — a decoy system created by the cybersecurity company Foresecct for monitoring cyberattacks. According to Foresecct, the hackers publicly claimed to have gained access to and compromised a real control system of a water treatment plant. The TwoNet group changed configurations, triggered alarms, and left messages like *“HACKED BY BARLATI, f***”* — but the attack took place entirely in a simulated environment, with no impact on any real infrastructure.
Experts emphasize that the group acted realistically — as if they were attacking a genuine facility, changing configurations and simulating full system control. Such honeypot research allows collecting valuable data on techniques hackers use, who now increasingly move from hacktivism to DDoS attacks and even attempts to penetrate OT/ICS sectors (industrial control systems).
The TwoNet group appeared in early 2025 and initially specialized in DDoS attacks, operating through Telegram channels. After blocking their first account, they resumed activity under a new one, shifting focus to industrial and energy targets.
According to Foresecct, the number of similar hacktivist attacks on critical infrastructure has increased since 2022. Although most participants have limited technical expertise, they increasingly attempt to influence control systems of real facilities, using propaganda to amplify the informational effect.
> Researchers note: *such groups often confuse their own propaganda with real achievements and become victims of their own deception.* However, this does not indicate weakness, but rather a new trend — the hacktivist attempt to penetrate the OT/ICS sector.
The incident with TwoNet demonstrates that even amateur groups are getting closer to real cyber risks for critical infrastructure. The honeypot by Foresecct not only exposed TwoNet’s incompetence but also highlighted how quickly hacktivists are evolving from DDoS attacks to potentially dangerous manipulations of industrial systems. Critical sectors must take this trend into account and strengthen the protection of their OT assets.
