A pro-Russian hacktivist group boasted like eager teens about successfully disrupting a Dutch water facility, but the cyberattack, though real, unfolded inside a decoy system set up by cybersecurity researchers.
The honeypot – a decoy system deliberately exposed to the web to lure attackers and capture their tactics – was cooked up by Forescout, a cybersecurity company.
Already last year, one of Forescout’s honeypots, designed as an AI-generated “healthcare clinic,” attracted cybercriminals who attempted to deploy ransomware.
This time, researchers said, something even more significant happened. An emerging pro-Russian hacktivist group targeted a “water treatment utility” honeypot and then falsely claimed responsibility for a real-world attack on its Telegram channel.
Indeed, the relatively new group, called TwoNet, claimed in September that it had disrupted a Dutch water facility by hacking into its control systems. According to Forescout, the threat actor defaced the login page with a message “HACKED BY BARLATI, F**K.”
The attack was very real, though: the attacker managed to change configuration settings and disable alarms. This would have disrupted operations of a real system – but, of course, it didn’t actually exist.
According to Forescout, the incident illustrates how inexperienced hacktivists are increasingly trying to breach operational technology (OT) and industrial control systems (ICS). The latter manages equipment in critical infrastructure such as power plants and water utilities.
“Groups moving from DDoS/defacement to OT/ICS often misread targets, trip over honeypots, or over-claim,” said Forescout before warning: “That doesn’t make them harmless – it shows where they are headed.”
The researchers explain that even though hacktivist channels “blend genuine incidents with exaggeration,” monitoring still yields value.
Since 2022, the company has seen a growing number of hacktivist attacks against critical infrastructure. Utilities, especially in the water and energy sectors, remain key targets, Forescout adds.
TwoNet is a recent entrant to the pro-Russian hacktivist ecosystem. According to Intel471, the group first appeared on a Telegram channel in January 2025 (soon banned) and initially focused on DDoS attacks.
Since mid-September, however, TwoNet has been using a new Telegram channel to claim activity. Messages indicate a pivot from pure DDoS to a broader mix of activity, including OT/ICS targeting.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked