A pro-Russian hacktivist group called TwoNet pivoted in less than a year from launching distributed denial-of-service (DDoS) attacks to targeting critical infrastructure.
Recently, the threat actor claimed an attack on a water treatment facility that turned out to be a realistic honeypot system set up by threat researchers specifically to observe adversaries’ movements.
The compromise at the decoy facility occurred in September and revealed that the threat actor moved from initial access to disruptive action in about 26 hours.
Decoy plant but real threat
Researchers at Forescout, a company providing cybersecurity solutions for enterprise IT and industrial networks, monitoring TwoNet’s activity in the fake water treatment plant, noticed the hackers trying default credentials and gaining initial access at 8:22 AM.
During the first day, the hacktivist group attempted to enumerate the databases on the system; they succeeded in a second attempt, after using the correct set of SQL queries for the system.
The attacker proceeded to create a new user account called Barlati and announced their intrusion by exploiting an old stored cross-site-scripting (XSS) vulnerability tracked as CVE-2021-26829.
They leveraged the security issue to trigger a pop-up alert on the human machine interface (HMI) that displayed the message “Hacked by Barlati.”
However, they engaged in more damaging actions to disrupt processes and disable logs and alarms.
Forescout researchers say that TwoNet, unaware of breaching a decoy system, disabled the real-time updates by removing the connected programmable logic controllers (PLCs) from the data source list, and changed the PLC setpoints in the HMI.
... continue reading