Forescout Vedere Labs published a report exposing how a pro-Russian hacktivist group was duped into thinking they had hacked a European water facility, unaware their target was in fact a carefully crafted honeypot.
This “hack” provided Forescout researchers the rare opportunity to see first-hand how these groups look for and exploit weaknesses in critical infrastructure. Attackers were able to break in with default credentials, deface the human-machine interface and tamper with PLC settings. The group, that went by TwoNet at the time, even tried to pass it off as a real-world breach by bragging about it on their telegram channel.
It’s yet another reminder to critical service providers that threat actors are actively targeting our most vulnerable services, with a honeypot last year designed to look like a healthcare clinic attracting cybercrimnals who attempted to deploy ransomware.
Forescout Vedere Labs offered the following mitigation advice:
- Eliminate weak authentication
- Remove direct internet exposure
- Segment rigorously
- Harden admin interfaces
- Require authentication on all IoT/OT admin interfaces:
- Include web UIs and proprietary engineering ports
- Disable anonymous/default accounts and enforce strong, unique credentials
- Monitor with IoT/OT-aware, deep packet inspection (DPI)
- DPI should have protocol-aware detection (Modbus, S7, etc.) that creates alerts for: exploitation, password guessing, unauthorized writes, and changes in human machine interfaces (HMI).
- Watch for outbound and “dual use”
To read the full account – read the team’s blog here.
The post Pro-Russian hacking group snared by Forescout Vedere Labs honeypot appeared first on IT Security Guru.
The original article found on IT Security Guru Read More
