TwoNet’s Decoy Plant Attack: A New Era of Hacktivist Threats to Critical Infrastructure

TwoNet’s Decoy Plant Attack: A New Era of Hacktivist Threats to Critical Infrastructure

Alex Cipher's Profile Pictire Alex Cipher 6 min read

When a pro-Russian hacktivist group like TwoNet pivots from headline-grabbing DDoS attacks to sabotaging the digital heart of a water treatment facility, the stakes for critical infrastructure security become crystal clear. TwoNet’s recent assault on a decoy plant—a honeypot designed by researchers—showcased not just their technical prowess, but also the speed at which modern hacktivists can move from initial access to operational disruption. Within just 26 hours, TwoNet manipulated Human-Machine Interfaces (HMIs) and Supervisory Control and Data Acquisition (SCADA) systems, disabling real-time updates and altering programmable logic controller (PLC) setpoints, all without escalating privileges or exploiting the underlying host. This case study offers a rare, behind-the-scenes look at how hacktivists are evolving, leveraging both political motivations and commercial opportunities, and why defenders are increasingly turning to deception technologies like honeypots to stay one step ahead (BleepingComputer, 2024).

TwoNet’s Tactics: From DDoS to Critical Infrastructure Disruption

Evolution of TwoNet’s Attack Strategies

TwoNet, a pro-Russian hacktivist group, initially gained notoriety for launching Distributed Denial-of-Service (DDoS) attacks. These attacks were primarily aimed at entities perceived to be supporting Ukraine, reflecting the group’s political motivations. However, over time, TwoNet’s tactics evolved significantly. This evolution is indicative of a broader trend among hacktivist groups, which are increasingly targeting critical infrastructure sectors. The shift from DDoS attacks to more sophisticated methods of disruption highlights the growing capabilities and ambitions of such groups.

The transition from DDoS to targeting critical infrastructure was marked by an incident involving a water treatment facility. This facility turned out to be a decoy plant, a honeypot set up by threat researchers to monitor adversarial activities. The attack on this decoy plant demonstrated TwoNet’s ability to move from initial access to disruptive actions within approximately 26 hours. This rapid progression underscores the group’s proficiency in navigating and manipulating industrial control systems (ICS) and operational technology (OT) environments.

Targeting Human-Machine Interfaces (HMIs)

TwoNet’s attack on the decoy plant involved specific tactics aimed at Human-Machine Interfaces (HMIs) and Supervisory Control and Data Acquisition (SCADA) systems. These systems are critical components of industrial control environments, as they allow operators to monitor and control industrial processes. TwoNet’s focus on HMIs and SCADA systems indicates a strategic shift towards exploiting vulnerabilities in these interfaces to cause disruption.

The group disabled real-time updates by removing connected programmable logic controllers (PLCs) from the data source list and altering PLC setpoints in the HMI. This action effectively disrupted the monitoring and control capabilities of the plant, demonstrating TwoNet’s understanding of industrial processes and their ability to manipulate them for malicious purposes. Notably, the attackers did not attempt privilege escalation or exploitation of the underlying host, focusing exclusively on the web application layer of the HMI. This targeted approach suggests a high level of sophistication and a clear understanding of the potential impact of their actions on critical infrastructure.

Use of Decoy Systems and Honeypots

The use of decoy systems and honeypots by threat researchers played a crucial role in understanding TwoNet’s tactics and capabilities. The decoy plant, designed to mimic a real water treatment facility, provided valuable insights into the group’s methods and objectives. By observing TwoNet’s actions within this controlled environment, researchers were able to gather intelligence on the group’s techniques, tactics, and procedures (TTPs).

The deployment of honeypots is a strategic defensive measure that allows organizations to detect and analyze cyber threats in a controlled setting. In the case of TwoNet, the honeypot revealed the group’s ability to quickly transition from initial access to disruptive actions, highlighting the importance of such defensive measures in understanding and mitigating cyber threats. The insights gained from the decoy plant incident underscore the need for organizations in the critical infrastructure sector to adopt proactive defense strategies, including the use of honeypots and other deception technologies.

Publication of Personal and Commercial Data

In addition to targeting critical infrastructure, TwoNet has engaged in other cyber activities, including the publication of personal details of intelligence and police personnel. This tactic is often used by hacktivist groups to intimidate and exert pressure on targeted individuals and organizations. By exposing sensitive information, TwoNet aims to create fear and uncertainty, furthering their political objectives.

Moreover, TwoNet has been involved in commercial offerings for cybercrime services, such as ransomware-as-a-service (RaaS) and hacker-for-hire services. These offerings indicate a shift towards monetizing cyber capabilities, providing services to other threat actors seeking to exploit vulnerabilities in critical infrastructure. The group’s involvement in selling initial access to SCADA systems in Poland further illustrates their focus on targeting industrial control environments. This pattern mirrors the activities of other groups that have transitioned from traditional DDoS and defacement attacks to more complex operations targeting OT and ICS environments.

Recommendations for Mitigating TwoNet’s Threats

In light of TwoNet’s evolving tactics and capabilities, organizations in the critical infrastructure sector must adopt comprehensive security measures to mitigate the risk of cyber attacks. Forescout researchers recommend several strategies to enhance the security posture of these organizations.

Firstly, implementing strong authentication mechanisms and ensuring that systems are not exposed to the public web are critical steps in preventing unauthorized access. Properly segmenting the production network and using IP-based access control lists for admin interface access can help contain potential breaches and limit the lateral movement of threat actors within the network.

Additionally, deploying protocol-aware detection systems that alert on exploitation attempts and changes in the HMI is essential for early detection and response to cyber threats. These systems can provide real-time visibility into network activities, enabling organizations to quickly identify and respond to suspicious behavior.

Finally, organizations should regularly review and update their security policies and procedures to address emerging threats and vulnerabilities. This proactive approach, combined with continuous monitoring and threat intelligence sharing, can help organizations stay ahead of evolving cyber threats and protect their critical infrastructure from attacks like those orchestrated by TwoNet.

Final Thoughts

TwoNet’s attack on the decoy water treatment plant is more than just a cautionary tale—it’s a wake-up call for anyone responsible for critical infrastructure. The group’s ability to rapidly disrupt industrial processes, combined with their willingness to publish sensitive data and offer cybercrime services, signals a new era of hacktivism that blends political activism with profit motives. Defensive strategies must evolve just as quickly, with organizations adopting strong authentication, network segmentation, protocol-aware detection, and, crucially, deception technologies like honeypots. As the boundaries between hacktivism, cybercrime, and nation-state tactics blur, proactive defense and continuous threat intelligence sharing are essential to keeping the lights on and the water flowing (BleepingComputer, 2024).

References

Related Articles