A honeynet simulating a water treatment plant was recently attacked by a group identified as TwoNet, which appeared to mistake the decoy for a real operational environment. The attackers gained access through an exposed internet-facing HMI using default credentials, defaced the system interface, tampered with control parameters, and attempted to disable logs and alarms. Their actions included deleting connected PLCs and modifying simulated water flow values, demonstrating how even simple exposures in industrial systems can invite destructive behavior once discovered online.

The incident provides insight into the current skill level and intent of threat actors targeting operational technology. While the attackers showed limited technical understanding of industrial control processes, their willingness to manipulate safety-related controls emphasizes the risks posed by unsecured or misconfigured OT assets. The exercise reinforces the importance of strict access control, network segmentation, and credential management, as well as the value of honeynets in studying real-world attacker behavior against industrial systems.

‍

Source: https://dale-peterson.com/2025/10/14/water-treatment-honeynet-incident-analysis/