- TwoNet Breached Fake Dutch Water Facility Using Default Credentials
- The target was a Forescout honeypot designed to study attacker behavior.
- Hackers are increasingly attacking critical infrastructure, often with the goal of demanding a ransom.
A relatively young pro-Russian hacktivist group called TwoNet recently broke into a Dutch water facilities organization. They logged into the human machine interface (HMI) using weak default credentials and exploited a vulnerability to deface the website.
They then removed the connected programmable logic controllers (PLCs) as data sources, which disabled real-time updates, and changed the PLC setpoints through the HMI. Once this was done, they modified the system configuration to disable logs and alarms. After successfully attacking the critical infrastructure organization, they took to their Telegram channel to announce their victory, gain some credibility, and hopefully some notoriety.
Now for the plot twist: the Dutch water facilities organization does not exist.
Concrete action
The website was real, as was the infrastructure. But it was all an elaborate ruse, created by cybersecurity researchers, Forescout, to trick cybercriminals into revealing their tactics, techniques and procedures (TTPs), a typical honeypot.
Forescout has been building these honeypots for a while and says it has seen hackers trying to deploy ransomware before.
Last year, a fake health clinic allegedly enlisted some menacing actors. However, this is the first time hackers have publicly boasted about having breached something that wasn’t real.
“Groups that move from DDoS/defacement to OT/ICS often misunderstand targets, run into honeypots, or make too many claims,” the researchers explained in their paper: “That doesn’t make them harmless: it shows where they’re headed.”
Critical infrastructure organizations, including water and wastewater treatment facilities, power plants, data centers, airports, and the like, are increasingly being targeted by cybercriminals.
Most often these are ransomware actors, groups who believe they could force companies to pay a ransom demand to continue operating and avoid even higher costs of restarting operations.
In some cases, attackers are state-sponsored and tasked with performing cyber espionage or setting up a kill switch that will activate in certain scenarios.
Through cyber news
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
