You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
TwoNet

TwoNet

ID: 035031254758b51f853749465e75b07196207
Hacktivist Group DDoS Crew Hacktivism
Threat types: DDoS, OT/ICS intrusion
Russia
Updated: 2026-02-24
Created: 2025-10-20
Progress: 54% Completeness: 47% Freshness: 70%
Operation zone:
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®

TwoNet — pro-Russia hacktivist crew (2025) using Telegram to coordinate DDoS and claim OT/ICS intrusions; high-profile 'water utility' hack was actually a Forescout honeypot revealing weak-credential access and basic HMI/PLC interactions.


Technique Technique name Tactics Evidence
T1498 Network Denial of Service TA0040
  • 2025-07–2025-10 — Ecosystem reporting places TwoNet in DDoS waves against Ukraine/ally targets. · ref
T1585 Establish Accounts TA0042
  • 2025-01–2025-10 — Telegram channel(s) used for recruitment, target lists, and boasts. · ref
T1102 Web Service TA0011
  • 2025-01–2025-10 — Telegram as operational broadcast hub for hacktivist ecosystems. · ref
T1190 Exploit Public-Facing Application TA0001
  • 2025-09 — Water-utility 'hack' used weak/default credentials on an exposed HMI (honeypot). · ref
T1562 Impair Defenses TA0005
  • 2025-09 — Disabling logs/alarms on the HMI reported by researchers (decoy context). · ref
Strategic Intelligence
Limited preview
Last updated: 2025-10-21T02:27:13+00:00
TwoNet — Pro-Russia Hacktivist Crew (OT/ICS Claims; Honeypot Exposure)

CLASSIFICATION: Unclassified / Open Source


Executive Summary

TwoNet is a recent entrant (2025) to the pro-Russia hacktivist space, coordinating via Telegram and focusing on DDoS and “hands-on” ICS/OT intrusion claims. In September–October 2025, TwoNet loudly claimed to have breached a Western water utility HMI, disabled alarms/logs, and tampered with PLCs—subsequent investigations by Forescout revealed the “plant” was a honeypot, exposing TwoNet’s TTPs and exaggerations. Despite the embarrassment, the episode shows growing intent by claim-driven actors to probe internet-facing OT. Confidence: high on the honeypot findings; medium on broader capability.

  • Identity & posture. Russia-aligned; Telegram coordination; Intel471 and follow-on coverage place emergence in Jan–Jul 2025, recruiting for DDoS and collection.
  • Objectives. Visibility through “critical infrastructure” narratives; OT/ICS signaling to amplify fear/attention; routine DDoS against Ukraine/ally targets.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/3

Address Verification SOCMINT
t.me/Two********** Restricted Not integrated
t.me/Two****** Restricted Not integrated
t.me/Two************* Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited

Showing 1–4 of 4 images
Affiliation with another group Free Preview
Affiliation with another group
Affiliation with another group Free Preview
Affiliation with another group
Affiliation with another group Free Preview
Affiliation with another group
Affiliation with another group Free Preview
Affiliation with another group