A newly identified pro-Russian hacktivist group, known as TwoNet, has been actively infiltrating operational technology (OT) and industrial control systems (ICS) within critical infrastructure sectors. Employing sophisticated techniques, the group aims to steal login credentials and disrupt essential services, marking a significant evolution in hacktivist capabilities.
Emergence of TwoNet and Its Tactics
TwoNet represents a new breed of hacktivists who have moved beyond traditional distributed denial-of-service (DDoS) attacks and website defacements. Their focus has shifted towards compromising human-machine interfaces (HMIs) and programmable logic controllers (PLCs) in various industrial environments, including water treatment facilities and solar power installations. This transition underscores a concerning trend where hacktivists are now capable of complex manipulations of industrial processes.
The group’s operations have been observed across multiple European countries, particularly targeting utilities and energy infrastructure in nations they perceive as adversarial. Their activities encompass database enumeration, system defacement, process disruption, and credential harvesting from internet-exposed OT/ICS devices.
Sophisticated Attack Methodology
Forescout analysts identified TwoNet’s malware and attack patterns through advanced honeypot operations designed to attract and monitor threat actors targeting critical infrastructure. A simulated water treatment facility honeypot successfully captured TwoNet’s intrusion methods, providing unprecedented insight into the group’s tactics, techniques, and procedures. This intelligence gathering effort also revealed a broader network of affiliated hacktivist groups operating in coordination.
The attackers demonstrated particular expertise in exploiting default authentication mechanisms, utilizing SQL injection techniques, and leveraging known vulnerabilities in HMI systems. Their operations span multiple industrial protocols, including Modbus and S7 communications, indicating a sophisticated understanding of OT environments. The group’s ability to maintain persistence across multiple login sessions and systematically alter critical system configurations represents a significant escalation in hacktivist threat capabilities.
Advanced Database Exploitation and System Manipulation Techniques
TwoNet’s intrusion methodology reveals advanced database enumeration capabilities that extend far beyond typical hacktivist operations. The attackers initiated their assault by logging into the HMI using default credentials (admin/admin), immediately proceeding to execute complex SQL queries designed to extract comprehensive schema information from the target system.
Their initial database reconnaissance involved executing sophisticated queries through the sql.shtm page, beginning with failed attempts using primary key enumeration commands. When these initial queries failed, the attackers demonstrated remarkable persistence by modifying their approach and successfully extracting detailed table structures using alternative SQL syntax.
Following successful database enumeration, the attackers created a new user account named BARLATI and maintained access across multiple sessions spanning nearly 24 hours. Their systematic approach included exploiting CVE-2021-26829 to inject malicious JavaScript code into the HMI login page, creating persistent defacement that would trigger alerts whenever administrators accessed the system.
The attackers also demonstrated advanced operational security by modifying system settings to disable logging and alarm mechanisms, effectively blinding security monitoring systems to their ongoing activities. The sophistication of these database manipulation techniques, combined with the group’s ability to maintain operational security while conducting multi-stage attacks, indicates access to advanced tooling and significant operational experience that extends beyond typical hacktivist capabilities.
Implications for Critical Infrastructure Security
The emergence of groups like TwoNet highlights the evolving threat landscape facing critical infrastructure sectors. The transition from traditional hacktivist tactics to sophisticated OT/ICS attacks underscores the need for enhanced cybersecurity measures within these environments.
Organizations operating critical infrastructure must prioritize the following actions to mitigate such threats:
1. Regularly Update and Patch Systems: Ensure that all OT/ICS devices are updated with the latest security patches to protect against known vulnerabilities.
2. Implement Strong Authentication Mechanisms: Replace default credentials with strong, unique passwords and consider implementing multi-factor authentication to enhance security.
3. Conduct Regular Security Audits: Perform comprehensive security assessments to identify and remediate potential vulnerabilities within OT/ICS environments.
4. Enhance Network Segmentation: Implement robust network segmentation to limit the spread of potential intrusions and protect critical systems.
5. Develop Incident Response Plans: Establish and regularly update incident response plans to ensure swift and effective responses to security breaches.
By adopting these measures, organizations can strengthen their defenses against the growing threat posed by sophisticated hacktivist groups like TwoNet.
