The threat involves a hacktivist group known as TwoNet, aligned with Russian interests, conducting targeted attacks against OT and ICS environments, specifically water treatment facilities. The attack was observed in September 2025 via a Forescout honeypot designed to mimic a water treatment plant. TwoNet gained unauthorized access to the human-machine interface (HMI), a critical control point in OT systems, allowing them to perform defacement, disrupt processes, manipulate operations, and evade detection. The attack chain includes exploitation of vulnerabilities (MITRE ATT&CK T1190), lateral movement through remote services (T1021), use of valid credentials (T1078), network reconnaissance (T1016.001), exploitation of Modbus protocol weaknesses (T1210), and data manipulation or destruction (T1464). The group also uses ransomware-as-a-service (RAAS) tools such as MegaMedusa and Overflame, indicating potential for ransomware deployment in OT environments. IP indicators span multiple countries, including Russia, Iran, Germany, and France, reflecting a geographically dispersed infrastructure supporting the attack. Although no active exploits are publicly known, the attack demonstrates the increasing risk posed by hacktivist groups targeting critical infrastructure with sophisticated tactics. The medium severity rating reflects the potential for operational disruption and safety risks inherent in OT/ICS compromises.

For European organizations, especially those managing critical infrastructure like water treatment plants, this threat poses significant risks. Unauthorized HMI access can lead to process disruptions, potentially causing water supply interruptions, contamination risks, or damage to physical equipment. Defacement and manipulation undermine trust in infrastructure integrity and can cause public safety concerns. The use of ransomware tools in OT environments could escalate the impact by encrypting critical control systems, leading to prolonged outages and costly recovery efforts. The presence of IP indicators from Germany and France suggests that attackers may already have footholds or are targeting entities within these countries. Disruption of water treatment services can have cascading effects on public health, industrial operations, and municipal services. Additionally, the attack highlights vulnerabilities in legacy protocols like Modbus, which are widely used in European OT systems. The medium severity rating indicates a tangible but not yet catastrophic threat, emphasizing the need for proactive defenses to prevent escalation.

European OT/ICS operators should implement multi-layered security controls tailored to industrial environments. Specific recommendations include: 1) Enforce strict access controls and network segmentation to isolate HMIs and critical OT components from corporate and internet-facing networks. 2) Deploy robust authentication mechanisms, including multi-factor authentication (MFA), for all HMI and remote access points to prevent credential abuse. 3) Monitor and restrict Modbus and other legacy protocol traffic using deep packet inspection and anomaly detection tools to identify unauthorized commands or manipulations. 4) Conduct regular vulnerability assessments and patch management focused on OT-specific software and hardware, even if no direct patches exist, to reduce attack surface. 5) Implement continuous network monitoring with OT-aware intrusion detection systems (IDS) to detect reconnaissance and lateral movement activities. 6) Use honeypots or deception technologies to detect early-stage intrusions and gather intelligence on attacker tactics. 7) Develop and regularly test incident response plans specifically for OT/ICS scenarios, including ransomware recovery procedures. 8) Collaborate with national cybersecurity centers and share threat intelligence related to TwoNet and similar groups. 9) Restrict and monitor remote access channels, employing VPNs with strong encryption and logging. 10) Train OT personnel on social engineering and credential security to reduce risk of credential compromise. These measures go beyond generic advice by focusing on OT-specific protocols, access controls, and detection tailored to the tactics observed in this threat.