Security researchers say they duped pro-Russia cybercriminals into targeting a fake critical infrastructure organization, which the crew later claimed – via their Telegram group – to be a real-world attack.

Forescout said the short-lived TwoNet hacktivist group fell for one of its researchers’ honeypots, designed to look like a water treatment plant to a remote attacker.

Although the intrusion turned out to be an embarrassing own goal for TwoNet, which went on to brag about its endevours on the messaging and social media app, Forescout’s warning is very real. The attack was benign in this case. However, in a real-world scenario, it would have been anything but.

Within 26 hours, the attackers had broken into what they thought was a critical infrastructure organization and proceeded to tamper with key systems, defacing authentication screens and disabling alarms and logs.

TwoNet initially gained access to the fake water treatment facility by abusing default credentials on the honeypot’s human-machine interface (HMI) before enumerating the system’s databases and establishing persistence.

It then went on to exploit a vulnerability (CVE-2021-26829, CVSS 5.4), allowing it to deface the HMI login screen, and later carry out its disruptive processes, such as disabling real-time updates.

TwoNet first popped up in January, primarily focused on DDoS attacks using the MegaMedusa Machine malware, Intel471 said. 

Its Telegram channel was shut down in March, and the group was not seen again until September 14, when it launched another Telegram channel and posted about the fictitious water facility attack. TwoNet’s second coming was short-lived, however, as it once again shut down its primary communication channel just a few weeks later at the end of last month

Before the group scarpered again, it pitched itself as a full-service cybercrime crew, instead of the almost exclusively DDoS-focused outfit from earlier in the year.

Forescout said TwoNet promised to continue targeting operational technology organizations and industrial control systems, as well as explore doxing and intimidation.

It also offered an access broker service, and a slot in its ransomware affiliate scheme. Forescout said the price of entry – $830 and 50 percent of all ransom payments – is higher than the norm, which signals either that TwoNet had low confidence in its ability to recruit en masse, or that it was a scam all along.

Lessons learned

The scenario will ultimately go down as an amusing tale of defenders getting one over on the bad guys, but the analysis of the attack will no doubt signal to all OT organizations the risks of slacking on security.

The researchers point to the early evolution of the Iranian CyberAv3ngers group an evidence that groups switching from pure DDoS to more destructive activities can still cause serious damage despite.

Numerous attacks on US critical infrastructure organizations, including multiple water facilities, were carried out by IRGC-linked CyberAv3ngers in recent years, prompting CISA et al to issue various alerts about its tradecraft.

Forescout said these types of groups are known for “blending genuine incidents with exaggeration,” so it’s important to treat claims with some scepticism, but thoroughly monitor systems and triage alerts, just in case. ®