Pro-Russian hackers caught bragging about attack on fake water utility

A pro-Russian hacker group has been caught boasting about a cyberattack that unfolded entirely inside a decoy system set up by researchers.

The relatively new group, known as TwoNet, claimed in September that it had disrupted a Dutch water facility by hacking into its control systems. In reality, the hackers had infiltrated a honeypot — a decoy network designed by cybersecurity firm Forescout to lure attackers and study their behavior.

According to the company, the threat actor, using the alias Barlati, defaced the login page with an message reading “HACKED BY BARLATI, FUCK.” The attacker also changed configuration settings and disabled alarms — actions that, if carried out on a real system, could have disrupted operations.

Forescout said the incident illustrates how inexperienced hacktivists are increasingly trying to breach operational technology (OT) and industrial control systems (ICS) — the computer systems that manage equipment in critical infrastructure such as power plants and water utilities — often without fully understanding what they are attacking.

“Groups moving from DDoS/defacement to OT/ICS often misread targets, trip over honeypots, or overclaim. That doesn’t make them harmless; it shows where they are headed,” researchers said.

The honeypot incident also highlights how hacktivists increasingly blur the line between propaganda and genuine cyber operations, inflating their capabilities to gain visibility.

TwoNet, which emerged in early 2025, initially launched distributed denial-of-service (DDoS) attacks before attempting more sophisticated intrusions targeting systems that control and monitor industrial equipment — a category known as SCADA — in countries it considers hostile to Russia. It is unclear if any of its claimed attacks actually occurred.

The group announced its shutdown in late September — a reminder of the short life cycle of many hacktivist outfits, which often rebrand, merge, or resurface under new names, Forescout said.

Industrial systems in the crosshairs

TwoNet’s claims echo similar boasts by other pro-Russian groups that have allegedly targeted critical infrastructure.

In recent months, groups such as CyberTroops and OverFlame have claimed to compromise control interfaces at solar and hydroelectric facilities across Europe. 

Forescout researchers said their honeypots routinely attract attacks from Russia and Iran, but this was the first time a named group had publicly claimed to have breached one of their decoy systems.

While the TwoNet incident caused no harm, some hacktivist operations have had real-world consequences.

In late 2023, the Russian government-aligned group known as the Cyber Army of Russia Reborn (CARR) claimed to have attacked the industrial control systems of multiple U.S. and European critical infrastructure targets.

In January 2024, the group took responsibility for overflowing water storage tanks in Texas, leading to the loss of tens of thousands of gallons of water. CARR also claimed to have compromised the SCADA system of a U.S. energy company, gaining control over alarms and pumps for its tanks.

In June, the U.S. State Department accused Iranians allegedly affiliated with a group known as CyberAv3ngers of targeting critical infrastructure with malware designed to compromise industrial control systems.

“Utilities, especially in the water and power sectors, remain key targets,” Forescout said. “Our water-utility honeypot and affiliates’ solar claims mirror broader exposure in utility environments where security budgets, awareness, or accountability lag.”