Pro-Russian hackers tricked into attacking decoy target

• TwoNet breached a fake Dutch water facility using default credentials
• The target was a Forescout honeypot designed to study attacker behavior
• Hackers increasingly target critical infrastructure, often aiming for ransom

A relatively young pro-Russian hacktivist group called TwoNet recently breached a Dutch water facility organization. They logged into the Human-Machine interface (HMI) using weak, default credentials, and exploited a vulnerability to deface the website.

They then deleted connected programmable logic controllers (PLC) as data sources, which disabled real-time updates, and changed PLC setpoints through the HMI. Once that was done, they modified system settings to disable logs and alarms. After successfully striking the critical infrastructure organization, they took to their Telegram channel to advertise their win, gain a little credibility and hopefully, some notoriety.

Now, for the plot twist: the Dutch water facility organization does not exist.

Concrete action

The website was real, and so was the infrastructure. But, it was all an elaborate ruse, set up by cybersecurity researchers, Forescout, to trick cybercriminals into revealing their tactics, techniques, and procedures (TTP) – a typical honeypot.

Forescout has been building these honeypots for a little while now, and says that it’s seen hackers trying to deploy ransomware before.

Last year a fake healthcare clinic caught a few threat actors, allegedly. However, this is the first time that hackers have publicly boasted about breaching something that wasn’t real.

“Groups moving from DDoS/defacement to OT/ICS often misread targets, trip over honeypots, or over-claim,” the researchers explained in their write-up: “That doesn’t make them harmless – it shows where they are headed.”

Critical infrastructure organizations, including water and wastewater treatment facilities, power plants, data centers, airports, and similar, are increasingly targeted by cybercriminals.

Most of the time these are ransomware actors, groups believing they could force the companies into paying a ransom demand in order to remain operational and avoid even higher costs of restarting operations.

In some cases, the attackers are state-sponsored and tasked with either cyber-espionage, or setting up a kill-switch to be activated in certain scenarios.

Via Cybernews

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

You might also like

• Critical Infrastructure: The latest target for cybercriminals?
• Take a look at our guide to the best authenticator app
• We’ve rounded up the best password managers

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.