TwoNet OT/ICS targeting campaign
Campaign
Summary
Hide ▲
Show ▼
The TwoNet hacktivist group has shifted from DDoS to critical infrastructure targeting, increasing the risk of disruptive OT/ICS attacks. In a September operation against a decoy water treatment plant, the group moved from access to disruption in roughly 26 hours. The operators used default credentials, created a Barlati account, and abused CVE-2021-26829 to display "Hacked by Barlati." They then disabled PLC real-time updates and changed PLC setpoints in the HMI.
Related Happenings
CISA April 7 Rockwell Automation/Allen-Bradley PLC mitigation advisory
Advisory/Mitigation
First: 08.04.2026 11:15
Last: 08.04.2026 11:15
Sources 1
About this happening:
**CISA** and authoring agencies issued **April 7** mitigation guidance for **internet-facing OT assets**, warning that **US critical infrastructure** operators using **Rockwell Au...
CISA April 7 Rockwell Automation/Allen-Bradley PLC mitigation advisory
Advisory/MitigationAbout this happening: **CISA** and authoring agencies issued **April 7** mitigation guidance for **internet-facing OT assets**, warning that **US critical infrastructure** operators using **Rockwell Au...
Russian-speaking hacker AI-assisted FortiGate breach campaign
Campaign
First: 21.02.2026 15:50
Last: 21.02.2026 15:50
Sources 1
About this happening:
The **Russian-speaking** threat actor ran an **AI-assisted FortiGate breach campaign** from **January 11 to February 18, 2026**, compromising **over 600 FortiGate devices** across...
Russian-speaking hacker AI-assisted FortiGate breach campaign
CampaignAbout this happening: The **Russian-speaking** threat actor ran an **AI-assisted FortiGate breach campaign** from **January 11 to February 18, 2026**, compromising **over 600 FortiGate devices** across...
TwoNet’s Telegram cybercrime-service ads and doxxing of officials
Threat Actor Meta
First: 09.10.2025 14:13
Last: 09.10.2025 14:13
Sources 1
How related:
The gang also published personal details of intelligence and police personnel, commercial offerings for cybercrime services like ransomware-as-a-service (RaaS), hacker-for-hire, or for initial access to SCADA systems in Poland.
About this happening:
**TwoNet** expanded its Telegram activity into **cybercrime-service brokerage**, advertising **RaaS**, **hacker-for-hire**, and **SCADA access** while also exposing **intelligence...
TwoNet’s Telegram cybercrime-service ads and doxxing of officials
Threat Actor MetaHow related: The gang also published personal details of intelligence and police personnel, commercial offerings for cybercrime services like ransomware-as-a-service (RaaS), hacker-for-hire, or for initial access to SCADA systems in Poland.
About this happening: **TwoNet** expanded its Telegram activity into **cybercrime-service brokerage**, advertising **RaaS**, **hacker-for-hire**, and **SCADA access** while also exposing **intelligence...
Timeline
-
09.10.2025 14:13 3 articles · 7mo ago
TwoNet expands from DDoS to critical infrastructure targeting
Campaign Scope UpdateTwoNet, a pro-Russian hacktivist group that had focused on DDoS attacks, broadened into critical infrastructure targeting and tried to reach HMI or SCADA interfaces in "enemy countries." A September compromise at a decoy water treatment facility used as a honeypot showed default-credential access, database enumeration, creation of a Barlati account, exploitation of CVE-2021-26829 to display "Hacked by Barlati," and disruptive changes that removed PLCs from the data source list and altered PLC setpoints in the HMI.
Show sources
- Hacktivists target critical infrastructure, hit decoy plant — www.bleepingcomputer.com — 09.10.2025 14:13
- Hacktivists target critical infrastructure, hit decoy plant — www.bleepingcomputer.com — 09.10.2025 14:13
- Pro-Russia Hacktivists “Claim” Attack on Water Utility Honeypot — www.infosecurity-magazine.com — 10.10.2025 11:15