Forescout’s Verdere Labs reported that a honeynet posing as a water treatment system was compromised by TwoNet, a Russian-aligned group. According to the blog entry TwoNet caused:
- Defacement: Login page changed to HACKED BY BARLATI, F***
- Process Disruption: Deleted connected PLCs as data sources, disabling real-time updates.
- Manipulation: Changed PLC setpoints via the HMI.
- Evasion: Modified system settings to disable logs and alarms.
The attribution to TwoNet is based on claims in a chat that indicated they didn’t realize it was a Honeynet. It appears that the Honeynet’s HMI was Internet accessible and using default credentials, a very soft target.
This is good work and reporting. It is a vivid example that if your OT is Internet accessible it is likely to be attacked (and not changing your default credentials is dumb). Increasingly attackers will have basic OT knowledge and tools.
What we don’t know is how realistic this honeynet is. This would be another data point on the OT hacking knowledge and talent of the team. There are a lot of OT honeynets on the Internet, such as Conpot. Shodan and other scanning tools recognize these as honeypots/honeynets/not real. Should they have realized it was a honeynet if they had OT skills?
The fact that the hactivists were bragging about their actions in this “water utility” means they believed it was real.
More Complete OT Honeynet
The most realistic OT honeynet I’ve seen was created and monitored by Stephen Hilt and the Trend Micro team. It looked like a factory system making injection mold plastic products. This even had “employees”. Each employee had their job and persona and generated normal employee actions. He described it in this S4x20 presentation.
Detection Technology
The Forescout and Trend Micro honeynets were deployed to learn about the frequency, methodology, and skill of attackers. Honeypots, and honeynets, can also be used as a detection mechanism. It tends to be a high fidelity signal if any activity is observed since there is no reason for anyone or anything to connect to it.
There are commercial products for this purpose, typically named a Deception product. I was surprised and impressed with a demo of Fortinet’s FortiDeceptor OT deception capabilities.
The question is when does purchasing, deploying, and maintaining an OT deception product become the thing to do with your next dollar or hour based on an efficient risk reduction prioritization. In 2025, I rarely see an asset owner with a mature enough OT security program where even highly effective deception technology is what they should do next.
OT Honeypot History
Digital Bond, my previously more active OT security consulting and research company, created the first ever OT honeypot in 2007. Charles Perine did most of the work on this. The honeypot mimicked a Modicon PLC and had a points list / config that we obtained from a client for realism. You could read and write to it with Modbus TCP, but I’d still categorize it as low interaction. Maybe slightly better than Conpot, but not close to Forescout’s honeynet.
Back then we never saw anyone try to use the Modbus functionality. Adversaries have progressed somewhat in two decades.