Hacktivism Evolves into Digital Propaganda Following Water System Security Breach

In a concerning development for industrial cybersecurity, security researchers at Forescout have documented a sophisticated attack on a honeypot server designed to mimic a water treatment plant’s control system. The September incident highlights a growing trend of hacktivists targeting critical infrastructure as a means of gaining notoriety rather than causing actual damage.

The attack was claimed by TwoNet, a relatively new hacktivist group that has been active since early 2025. Using the default credentials “admin/admin,” attackers initially accessed the system from an IP address registered to German hosting provider Dataforest GmbH. They proceeded to create a new account under the username “BARLATI,” which was later used to replace text on the login page with a “HACKED BY BARLATI” message.

During their intrusion, the attackers executed SQL queries to explore the database structure, deleted connected controllers, manipulated parameter values, and disabled logging and alert systems. They exploited the CVE-2021-26829 vulnerability to falsify page content, demonstrating a concerning, if basic, understanding of industrial control systems.

“What makes this incident particularly troubling is not the technical sophistication, but the intent behind it,” said a Forescout researcher who requested anonymity. “The attackers were more interested in claiming they had compromised a real water treatment facility than in causing actual disruption.”

Hours after the breach, TwoNet broadcast their supposed success on Telegram, falsely claiming they had hijacked an operational water system rather than a honeypot designed to attract and study such attacks.

TwoNet emerged on the hacktivist scene earlier this year, initially focusing on DDoS attacks before pivoting to industrial control systems. Their Telegram channel frequently published screenshots allegedly showing compromised SCADA and HMI interfaces from various European facilities, including solar panels, heating systems, and biomass boilers. However, Forescout analysts note that many of these images appear to be from publicly available demonstration panels rather than actual breaches.

The group has also attempted to monetize their activities, offering access to control panels, DDoS services, and even ransomware at premium prices. Before their Telegram channel was shut down, TwoNet announced alliances with other hacktivist groups including CyberTroops and OverFlame, apparently aiming to create the impression of a larger, more formidable network.

This incident is not isolated. Forescout’s honeypots have recorded multiple attacks on industrial controllers and Modbus protocols, often originating from European and Middle Eastern IP addresses. In one case, attackers leveraged the CVE-2021-26828 vulnerability to inject a web shell and access HMI settings after using default passwords to gain entry. Another incident involved coordinated attempts to modify PLC parameters via Modbus and S7 protocols—actions that could potentially disrupt processes in operational environments.

The technical analysis reveals that most attackers use standard tools like Metasploit and pre-made scripts, with behavior suggesting manual monitoring and basic knowledge of industrial protocols. Many attacks target unprotected internet-accessible devices without prior scanning, essentially looking for low-hanging fruit.

“Water and energy sectors are particularly vulnerable,” explained Forescout’s report. “Many control interfaces require no authentication, and logging and monitoring are often inadequate or entirely absent.”

Security experts recommend several immediate measures for industrial control system operators: eliminate weak authentication and default passwords, avoid direct internet exposure of interfaces, implement strict segmentation between IT and OT networks, restrict administrative port access using IP allowlists, and deploy monitoring systems capable of tracking Modbus and S7 commands.

“What we’re seeing is a shift in hacktivist motivations,” concluded the report. “Cyber prestige has become more important than actual results. Groups may disappear, change names, and reappear, but their members and methods remain consistent.”

This evolution of hacktivism into digital propaganda represents a new challenge for critical infrastructure security, where the goal is often visibility rather than disruption—at least for now. As these groups gain experience and potentially collaborate with more sophisticated threat actors, the risk to industrial systems could escalate significantly.