- TwoNet hacked a fake Dutch water plant using default credentials
- The target was a Forescout honeypot designed to study attacker behavior.
- Hackers are increasingly targeting critical infrastructure, often aiming for ransom.
A relatively young pro-Russian hacktivist group called TwoNet recently hacked a Dutch organization responsible for water installations. They logged in to the human machine interface (HMI) using weak default credentials and exploited a vulnerability to degrade the website.
They then removed the connected programmable logic controllers (PLCs) as data sources, which disabled real-time updates and changed the PLC setpoints via the HMI. Once that was done, they changed the system settings to disable logs and alarms. After successfully hitting the critical infrastructure organization, they used their Telegram channel to announce their victory, gain some credibility and hopefully some notoriety.
Now the plot twist: the Dutch waterworks organization does not exist.
Concrete actions
The website was real, as was the infrastructure. But it was an elaborate ruse, set up by cybersecurity researchers at Forescout, to trick cybercriminals into revealing their tactics, techniques and procedures (TTP) – a typical honeypot.
Forescout has been building these honeypots for some time now and says it has already seen hackers attempt to deploy ransomware.
Last year, a fake health clinic reportedly caught a few threat actors. However, this is the first time hackers have publicly bragged about breaching something that wasn’t real.
“Groups moving from DDoS/defacement to OT/ICS have often misread their targets, stumbled upon honeypots, or made excessive claims,” the researchers explain in their paper: “This doesn’t make them harmless – it shows where they’re going.”
Critical infrastructure organizations, including water and wastewater treatment facilities, power plants, data centers, airports, and more, are increasingly being targeted by cybercriminals.
Most often, these are ransomware actors, groups believing they can force businesses to pay a ransom demand in order to remain operational and avoid even higher restart costs.
In some cases, the attackers are state-sponsored and tasked with either cyberespionage or setting up a kill-switch to activate in certain scenarios.
Via Cybernews
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
