Overview
- Forescout Vedere Labs disclosed that TwoNet’s claimed September breach hit a realistic decoy for a European water treatment facility.
- Intruders logged in with default admin/admin, created a 'BARLATI' account, exploited CVE-2021-26829 to deface the HMI, then disabled logs and alarms.
- The attackers removed PLCs from data sources and changed setpoints via the HMI, progressing from access to disruption in roughly 26 hours.
- Telemetry tied the intrusion to an IP at a German hosting provider and indicated use of Firefox on Linux, with activity tracked over about 20 hours of logins.
- Forescout urged operators to eliminate internet exposure and default accounts, segment OT networks, harden admin interfaces, and deploy protocol-aware DPI, noting TwoNet’s Telegram boasts and frequent rebrands.