When Hacktivists Target Water Utilities: Inside a Russian-Aligned OT Attack

Data Security Decoded

Episode: When Hacktivists Target Water Utilities: Inside a Russian-Aligned OT Attack
Date: February 3, 2026
Host: Caleb Tolan
Guest: Daniel DeSantos, VP of Research at Forescout Technologies

Episode Overview

This episode delves deeply into a real-world incident where Russian-aligned hacktivist groups targeted a decoy water treatment plant through an exposed Human Machine Interface (HMI). Host Caleb Tolan and guest Daniel DeSantos dissect the attack, motivations driving these hacktivist collectives, and practical defense strategies for organizations managing operational technology (OT) and industrial control systems (ICS). The discussion centers on visibility, risk reduction, and how the threat environment has evolved from simplistic vandalism to geopolitically motivated actions with emerging profit components.

Key Discussion Points & Insights

1. Background: The Evolution of Hacktivist Motivation

[00:10, 08:15]

Early hacktivist efforts focused on simple tasks like website defacements or distributed denial-of-service, often with the goal of spreading political messages or advocating for internet rights.
Since the Russian invasion of Ukraine, activist groups have shifted to geopolitical alignment, carrying out attacks in support of Russian interests and targeting Ukraine, NATO, and their allies.
Attack motivation is now primarily to:
- Support Russia’s war efforts (directly or indirectly)
- Instill fear in managers of critical infrastructure, particularly in the West
- Align in some cases with direct or indirect state-sponsorship

“That has rapidly changed after the war with these groups that are much more aligned to geopolitical interests and specifically in this case, pro Russian interests against Ukraine, against NATO, against the west in general.”
— Daniel DeSantos [00:10], [08:15]

2. Anatomy of the Incident: How the Attack Was Detected and Analyzed

[03:01 - 07:27]

Forescout deployed a honeypot simulating a water treatment facility in the Netherlands.
The initial notification came from a Telegram post by a Russian-aligned hacktivist group, claiming the attack and sharing a video of their actions.
This video allowed Forescout to reconstruct the attack and compare public claims with their own telemetry.
Entry Point: An HMI (Human-Machine Interface) exposed to the internet, using default credentials (e.g., “admin/admin” or “admin1234”).
Attack Steps:
- Hackers found the exposed HMI via internet scanning tools like Shodan or Censys.
- They logged in with default credentials.
- They subsequently manipulated settings and simulated tampering with the facility.
This opportunistic style is typical: Hacktivists attack whatever is easy and exposed.

“So that was the entry point. They basically saw that exposed on the Internet on purpose. We had exposed that and it had default credentials… So something simple as admin.admin or admin 1234. And they basically managed to get in and from there launch the rest of the attack.”
— Daniel DeSantos [05:05]

Related Trend: Canadian government issued similar alerts about hacktivist groups using the same exposed HMI tactic globally.

3. Motivations of Russian-Aligned Hacktivist Groups

[07:27 - 11:19]

While motivations differ slightly among groups, major themes include:
- State support: Many activities are intended to support the Russian war effort against Ukraine and its supporters.
- Fear-mongering: Attacks on supportive Western countries aim to erode confidence and sow uncertainty.
- Direct state involvement: Some hacktivist (“cyber army”) groups serve as proxies or fronts for state-directed activity.
- Emergent Financial Motive: Some groups are now also seen selling exfiltrated data, access, or exploits—blurring the line between hacktivism and cybercrime.

“But we do see more and more often when we are tracking some of these groups, chats on Telegram, the offers for, you know, selling data that was exfiltrated, or selling initial access into organizations, or selling new exploits and things like that...”
— Daniel DeSantos [10:09]

4. Defensive Measures: What Can Defenders Do?

[11:19 - 14:44]

First Principle: Visibility
- Know all assets on your network.
- Track endpoints and their connections.
- Identify vulnerabilities (especially default/reused credentials).
Why Visibility?
- Attackers now compromise nontraditional endpoints (IP cameras, network devices) as persistence points, making traditional endpoint defense insufficient.
- Without comprehensive network visibility, attackers can remain hidden and reinitiate attacks even after defenders “clean up” workstations.
Practical Steps:
- Don’t expose critical systems or interfaces (like HMIs) to the internet.
- Remove default/admin credentials on all devices.
- Implement strong segmentation between business/IT and OT networks.
- Go beyond endpoint detection—deploy network-wide monitoring.

“...increasing visibility on the network...from a central point of view, see all the assets that you have connected to your network, who they're communicating with, what vulnerabilities they have, what are the credentials that they have. Like I said, default credentials being used in a device is never a good idea.”
— Daniel DeSantos [12:02]

5. Main Takeaways for Organizations

[14:44 - 16:55]

Not All Threats Are Sophisticated:
Opportunistic attacks succeed against the “lowest-hanging fruit.” Many incidents are simple but can have real consequences.
Balance Focus:
Defend against sophisticated threats and ensure basics (non-exposure, secure credentials, patching) are covered.
Make Yourself a Hard Target:
Reduce the risk of being “easy prey” by raising your security baseline.

“...attacks are not only the targeted, super sophisticated nation state attacks these days...But there is also the kind of attack that we just discussed, right. Which is much more opportunistic, much less targeted, and much more focused on just kind of spreading chaos.”
— Daniel DeSantos [15:02]

Notable Quotes & Memorable Moments

On Hacktivism’s Evolution:
“That has rapidly changed after the war with these groups that are much more aligned to geopolitical interests...”
— Daniel DeSantos [08:15]
On Visibility:
“Once you have this increased visibility, then you can start proactively understanding what you can do to reduce risk and potentially decrease the likelihood of an attack happening.”
— Daniel DeSantos [12:42]
On Defender Challenges:
“There is always a place to hide in the network where if the defender doesn't have enough visibility...the attacker can start again from there and kind of recreate the infection.”
— Daniel DeSantos [13:24]
On Main Takeaway:
“Make sure that you have done the basics as well to protect against the more opportunistic attacks and that you are not the easy prey...”
— Daniel DeSantos [15:31]

Key Segment Timestamps

Introduction to Hacktivist Motivations [00:10], [08:15]
Setting the Honeypot & Attack Discovery [03:01 - 03:30]
Attack Entry: Default Credentials & Exposure [05:05]
Telegram/Media as Signal for Incident Response [03:30]
Financialization Trend in Hacktivism [10:09]
Practical Defense Recommendations [12:02 - 14:44]
Main Takeaways for Defenders [15:02]
Where to Find Guest’s Work [17:02]

Resources & Contacts

Daniel DeSantos on LinkedIn: danielDeesantoscout
Email: daniel.dosantos@caut.com
Forescout Blog & Reports

Summary

This episode shines a light on how the threat landscape for OT and ICS has shifted from hacktivist “noise” to highly coordinated, geopolitically charged campaigns by Russian-aligned groups. Real incidents are often opportunistic, leveraging default credentials and exposed systems—especially in critical infrastructure like water utilities. Defenders are urged to prioritize visibility, cover security fundamentals, and recognize that not all threats come from the “elite” but from actors ready to capitalize on simple oversights. The evolution of hacktivism, potential connections to state entities, and the emergence of profit-seeking blur old security paradigms, demanding that organizations think holistically about their risks.

Data Security Decoded

Episode Overview

Key Discussion Points & Insights

1. Background: The Evolution of Hacktivist Motivation

[00:10, 08:15]

Early hacktivist efforts focused on simple tasks like website defacements or distributed denial-of-service, often with the goal of spreading political messages or advocating for internet rights.
Since the Russian invasion of Ukraine, activist groups have shifted to geopolitical alignment, carrying out attacks in support of Russian interests and targeting Ukraine, NATO, and their allies.
Attack motivation is now primarily to:
- Support Russia’s war efforts (directly or indirectly)
- Instill fear in managers of critical infrastructure, particularly in the West
- Align in some cases with direct or indirect state-sponsorship

“That has rapidly changed after the war with these groups that are much more aligned to geopolitical interests and specifically in this case, pro Russian interests against Ukraine, against NATO, against the west in general.”
— Daniel DeSantos [00:10], [08:15]

2. Anatomy of the Incident: How the Attack Was Detected and Analyzed

[03:01 - 07:27]

Forescout deployed a honeypot simulating a water treatment facility in the Netherlands.
The initial notification came from a Telegram post by a Russian-aligned hacktivist group, claiming the attack and sharing a video of their actions.
This video allowed Forescout to reconstruct the attack and compare public claims with their own telemetry.
Entry Point: An HMI (Human-Machine Interface) exposed to the internet, using default credentials (e.g., “admin/admin” or “admin1234”).
Attack Steps:
- Hackers found the exposed HMI via internet scanning tools like Shodan or Censys.
- They logged in with default credentials.
- They subsequently manipulated settings and simulated tampering with the facility.
This opportunistic style is typical: Hacktivists attack whatever is easy and exposed.

“So that was the entry point. They basically saw that exposed on the Internet on purpose. We had exposed that and it had default credentials… So something simple as admin.admin or admin 1234. And they basically managed to get in and from there launch the rest of the attack.”
— Daniel DeSantos [05:05]

Related Trend: Canadian government issued similar alerts about hacktivist groups using the same exposed HMI tactic globally.

3. Motivations of Russian-Aligned Hacktivist Groups

[07:27 - 11:19]

While motivations differ slightly among groups, major themes include:
- State support: Many activities are intended to support the Russian war effort against Ukraine and its supporters.
- Fear-mongering: Attacks on supportive Western countries aim to erode confidence and sow uncertainty.
- Direct state involvement: Some hacktivist (“cyber army”) groups serve as proxies or fronts for state-directed activity.
- Emergent Financial Motive: Some groups are now also seen selling exfiltrated data, access, or exploits—blurring the line between hacktivism and cybercrime.

“But we do see more and more often when we are tracking some of these groups, chats on Telegram, the offers for, you know, selling data that was exfiltrated, or selling initial access into organizations, or selling new exploits and things like that...”
— Daniel DeSantos [10:09]

4. Defensive Measures: What Can Defenders Do?

[11:19 - 14:44]

First Principle: Visibility
- Know all assets on your network.
- Track endpoints and their connections.
- Identify vulnerabilities (especially default/reused credentials).
Why Visibility?
- Attackers now compromise nontraditional endpoints (IP cameras, network devices) as persistence points, making traditional endpoint defense insufficient.
- Without comprehensive network visibility, attackers can remain hidden and reinitiate attacks even after defenders “clean up” workstations.
Practical Steps:
- Don’t expose critical systems or interfaces (like HMIs) to the internet.
- Remove default/admin credentials on all devices.
- Implement strong segmentation between business/IT and OT networks.
- Go beyond endpoint detection—deploy network-wide monitoring.

“...increasing visibility on the network...from a central point of view, see all the assets that you have connected to your network, who they're communicating with, what vulnerabilities they have, what are the credentials that they have. Like I said, default credentials being used in a device is never a good idea.”
— Daniel DeSantos [12:02]

5. Main Takeaways for Organizations

[14:44 - 16:55]

Not All Threats Are Sophisticated:
Opportunistic attacks succeed against the “lowest-hanging fruit.” Many incidents are simple but can have real consequences.
Balance Focus:
Defend against sophisticated threats and ensure basics (non-exposure, secure credentials, patching) are covered.
Make Yourself a Hard Target:
Reduce the risk of being “easy prey” by raising your security baseline.

“...attacks are not only the targeted, super sophisticated nation state attacks these days...But there is also the kind of attack that we just discussed, right. Which is much more opportunistic, much less targeted, and much more focused on just kind of spreading chaos.”
— Daniel DeSantos [15:02]

Notable Quotes & Memorable Moments

On Hacktivism’s Evolution:
“That has rapidly changed after the war with these groups that are much more aligned to geopolitical interests...”
— Daniel DeSantos [08:15]
On Visibility:
“Once you have this increased visibility, then you can start proactively understanding what you can do to reduce risk and potentially decrease the likelihood of an attack happening.”
— Daniel DeSantos [12:42]
On Defender Challenges:
“There is always a place to hide in the network where if the defender doesn't have enough visibility...the attacker can start again from there and kind of recreate the infection.”
— Daniel DeSantos [13:24]
On Main Takeaway:
“Make sure that you have done the basics as well to protect against the more opportunistic attacks and that you are not the easy prey...”
— Daniel DeSantos [15:31]

Key Segment Timestamps

Introduction to Hacktivist Motivations [00:10], [08:15]
Setting the Honeypot & Attack Discovery [03:01 - 03:30]
Attack Entry: Default Credentials & Exposure [05:05]
Telegram/Media as Signal for Incident Response [03:30]
Financialization Trend in Hacktivism [10:09]
Practical Defense Recommendations [12:02 - 14:44]
Main Takeaways for Defenders [15:02]
Where to Find Guest’s Work [17:02]

Resources & Contacts

Daniel DeSantos on LinkedIn: danielDeesantoscout
Email: daniel.dosantos@caut.com
Forescout Blog & Reports

wavePod

Powered by Wave AI

Summary

Data Security Decoded

Episode Overview

Key Discussion Points & Insights

1. Background: The Evolution of Hacktivist Motivation

2. Anatomy of the Incident: How the Attack Was Detected and Analyzed

3. Motivations of Russian-Aligned Hacktivist Groups

4. Defensive Measures: What Can Defenders Do?

5. Main Takeaways for Organizations

Notable Quotes & Memorable Moments

Key Segment Timestamps

Resources & Contacts

Summary

Summary

Data Security Decoded

Episode Overview

Key Discussion Points & Insights

1. Background: The Evolution of Hacktivist Motivation

2. Anatomy of the Incident: How the Attack Was Detected and Analyzed

3. Motivations of Russian-Aligned Hacktivist Groups

4. Defensive Measures: What Can Defenders Do?

5. Main Takeaways for Organizations

Notable Quotes & Memorable Moments

Key Segment Timestamps

Resources & Contacts

Summary