A newly identified pro-Russian hacktivist group has successfully infiltrated operational technology and industrial control systems belonging to critical infrastructure organizations, employing sophisticated techniques to steal login credentials and disrupt vital services.<\/p>\n
The threat actor, known as TwoNet, represents an emerging class of hacktivists who have expanded beyond traditional distributed denial-of-service attacks to target human-machine interfaces and programmable logic controllers in water treatment facilities, solar installations, and other industrial environments.<\/p>\n
The group\u2019s attack methodology demonstrates a concerning evolution in hacktivist capabilities, moving from simple website defacements to complex manipulation of industrial processes.<\/p>\n
TwoNet\u2019s operations have been observed across multiple European countries, with particular focus on utilities and energy infrastructure in nations they consider adversarial.<\/p>\n
Their activities include database enumeration, system defacement, process disruption, and credential harvesting from internet-exposed OT\/ICS devices.<\/p>\n
Forescout analysts identified<\/a> the malware and attack patterns through sophisticated honeypot operations designed to attract and monitor threat actors targeting critical infrastructure.<\/p>\n The research team\u2019s water treatment facility honeypot successfully captured TwoNet\u2019s intrusion methodology, providing unprecedented visibility into the group\u2019s tactics, techniques, and procedures.<\/p>\n This intelligence gathering effort revealed not only the specific attack vectors employed but also the broader ecosystem of affiliated hacktivist groups operating in coordination.<\/p>\n The attackers demonstrated particular expertise in exploiting default authentication<\/a> mechanisms, utilizing SQL injection techniques, and leveraging known vulnerabilities in human-machine interface systems.<\/p>\n Their operations span multiple industrial protocols including Modbus and S7 communications, indicating sophisticated knowledge of operational technology environments.<\/p>\n The group\u2019s ability to maintain persistence across multiple login sessions and systematically alter critical system configurations represents a significant escalation in hacktivist threat capabilities.<\/p>\n The intrusion methodology employed by TwoNet reveals sophisticated database enumeration capabilities that extend far beyond typical hacktivist operations.<\/p>\n The attackers initiated their assault by logging into the human-machine interface using default credentials (admin\/admin), immediately proceeding to execute complex SQL queries designed to extract comprehensive schema information from the target system.<\/p>\n The group\u2019s initial database reconnaissance<\/a> involved executing sophisticated queries through the sql.shtm page, beginning with failed attempts using primary key enumeration commands.<\/p>\n When these initial queries failed, the attackers demonstrated remarkable persistence<\/a> by modifying their approach and successfully extracting detailed table structures using alternative SQL syntax:-<\/p>\n Following successful database enumeration, the attackers created a new user account named \u201cBARLATI\u201d and maintained access across multiple sessions spanning nearly 24 hours.<\/p>\n Their systematic approach included exploiting CVE-2021-26829 to inject malicious JavaScript<\/a> code into the HMI login page, creating persistent defacement that would trigger alerts whenever administrators accessed the system.<\/p>\n The attackers also demonstrated advanced operational security by modifying system settings to disable logging and alarm mechanisms, effectively blinding security monitoring<\/a> systems to their ongoing activities.<\/p>\n The sophistication of these database manipulation techniques, combined with the group\u2019s ability to maintain operational security while conducting multi-stage attacks, indicates access to advanced tooling and significant operational experience that extends beyond typical hacktivist capabilities.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Pro-Russian Hacktivist Attacking OT\/ICS Devices to Steal Login Credentials<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEghxyz5cmBAQYUhylolwQb4vrSbosL7F-ssjkxpDUswFmPbTMqI1SK6RIR1RgvQjTEAjLF04Pon-x0Qb0Jx5t8yyK09rPcSqMZGxgJpHPWujia98us6Rya4HqsFTbQHXJEqI-XPPBxWVJGIxg3nJfJRDN1pODZbDzyxXBjuBJK8Wk_xeI2x7BILNePiOyY\/s16000\/Threat%2520Actor%2520Network%2520and%2520Affiliations%2520%28Source%2520-%2520Forescout%29.webp?ssl=1\")
Advanced Database Exploitation and System Manipulation Techniques<\/strong><\/h2>\n
SELECT t.TABLENAME, c.COLUMNNAME, c.COLUMNNUMBER, c.COLUMNDATATYPE,\nc.COLUMNDEFAULT, c.AUTOINCREMENTVALUE, c.AUTOINCREMENTSTART,\nc.AUTOINCREMENTINC\nFROM sys.systables t\nJOIN sys.syscolumns c ON t.TABLEID = c.REFERENCEID\nWHERE t.tabletype = 'T'\nORDER BY t.TABLENAME, c.COLUMNNUMBER<\/code><\/pre>\n