When Hacktivists Target Water Utilities: Inside a Russian-Aligned OT Attack - Data Security Decoded

Summary6 min read

Data Security Decoded

Episode: When Hacktivists Target Water Utilities: Inside a Russian-Aligned OT Attack
Date: February 3, 2026
Host: Caleb Tolan
Guest: Daniel DeSantos, VP of Research at Forescout Technologies

Episode Overview

This episode delves deeply into a real-world incident where Russian-aligned hacktivist groups targeted a decoy water treatment plant through an exposed Human Machine Interface (HMI). Host Caleb Tolan and guest Daniel DeSantos dissect the attack, motivations driving these hacktivist collectives, and practical defense strategies for organizations managing operational technology (OT) and industrial control systems (ICS). The discussion centers on visibility, risk reduction, and how the threat environment has evolved from simplistic vandalism to geopolitically motivated actions with emerging profit components.

Key Discussion Points & Insights

1. Background: The Evolution of Hacktivist Motivation

[00:10, 08:15]

Early hacktivist efforts focused on simple tasks like website defacements or distributed denial-of-service, often with the goal of spreading political messages or advocating for internet rights.
Since the Russian invasion of Ukraine, activist groups have shifted to geopolitical alignment, carrying out attacks in support of Russian interests and targeting Ukraine, NATO, and their allies.
Attack motivation is now primarily to:
- Support Russia’s war efforts (directly or indirectly)
- Instill fear in managers of critical infrastructure, particularly in the West
- Align in some cases with direct or indirect state-sponsorship

“That has rapidly changed after the war with these groups that are much more aligned to geopolitical interests and specifically in this case, pro Russian interests against Ukraine, against NATO, against the west in general.”
— Daniel DeSantos [00:10], [08:15]

2. Anatomy of the Incident: How the Attack Was Detected and Analyzed

[03:01 - 07:27]

Forescout deployed a honeypot simulating a water treatment facility in the Netherlands.
The initial notification came from a Telegram post by a Russian-aligned hacktivist group, claiming the attack and sharing a video of their actions.
This video allowed Forescout to reconstruct the attack and compare public claims with their own telemetry.
Entry Point: An HMI (Human-Machine Interface) exposed to the internet, using default credentials (e.g., “admin/admin” or “admin1234”).
Attack Steps:
- Hackers found the exposed HMI via internet scanning tools like Shodan or Censys.
- They logged in with default credentials.
- They subsequently manipulated settings and simulated tampering with the facility.
This opportunistic style is typical: Hacktivists attack whatever is easy and exposed.

“So that was the entry point. They basically saw that exposed on the Internet on purpose. We had exposed that and it had default credentials… So something simple as admin.admin or admin 1234. And they basically managed to get in and from there launch the rest of the attack.”
— Daniel DeSantos [05:05]

Related Trend: Canadian government issued similar alerts about hacktivist groups using the same exposed HMI tactic globally.

3. Motivations of Russian-Aligned Hacktivist Groups

[07:27 - 11:19]

While motivations differ slightly among groups, major themes include:
- State support: Many activities are intended to support the Russian war effort against Ukraine and its supporters.
- Fear-mongering: Attacks on supportive Western countries aim to erode confidence and sow uncertainty.
- Direct state involvement: Some hacktivist (“cyber army”) groups serve as proxies or fronts for state-directed activity.
- Emergent Financial Motive: Some groups are now also seen selling exfiltrated data, access, or exploits—blurring the line between hacktivism and cybercrime.

“But we do see more and more often when we are tracking some of these groups, chats on Telegram, the offers for, you know, selling data that was exfiltrated, or selling initial access into organizations, or selling new exploits and things like that...”
— Daniel DeSantos [10:09]

4. Defensive Measures: What Can Defenders Do?

[11:19 - 14:44]

First Principle: Visibility
- Know all assets on your network.
- Track endpoints and their connections.
- Identify vulnerabilities (especially default/reused credentials).
Why Visibility?
- Attackers now compromise nontraditional endpoints (IP cameras, network devices) as persistence points, making traditional endpoint defense insufficient.
- Without comprehensive network visibility, attackers can remain hidden and reinitiate attacks even after defenders “clean up” workstations.
Practical Steps:
- Don’t expose critical systems or interfaces (like HMIs) to the internet.
- Remove default/admin credentials on all devices.
- Implement strong segmentation between business/IT and OT networks.
- Go beyond endpoint detection—deploy network-wide monitoring.

“...increasing visibility on the network...from a central point of view, see all the assets that you have connected to your network, who they're communicating with, what vulnerabilities they have, what are the credentials that they have. Like I said, default credentials being used in a device is never a good idea.”
— Daniel DeSantos [12:02]

5. Main Takeaways for Organizations

[14:44 - 16:55]

Not All Threats Are Sophisticated:
Opportunistic attacks succeed against the “lowest-hanging fruit.” Many incidents are simple but can have real consequences.
Balance Focus:
Defend against sophisticated threats and ensure basics (non-exposure, secure credentials, patching) are covered.
Make Yourself a Hard Target:
Reduce the risk of being “easy prey” by raising your security baseline.

“...attacks are not only the targeted, super sophisticated nation state attacks these days...But there is also the kind of attack that we just discussed, right. Which is much more opportunistic, much less targeted, and much more focused on just kind of spreading chaos.”
— Daniel DeSantos [15:02]

Notable Quotes & Memorable Moments

On Hacktivism’s Evolution:
“That has rapidly changed after the war with these groups that are much more aligned to geopolitical interests...”
— Daniel DeSantos [08:15]
On Visibility:
“Once you have this increased visibility, then you can start proactively understanding what you can do to reduce risk and potentially decrease the likelihood of an attack happening.”
— Daniel DeSantos [12:42]
On Defender Challenges:
“There is always a place to hide in the network where if the defender doesn't have enough visibility...the attacker can start again from there and kind of recreate the infection.”
— Daniel DeSantos [13:24]
On Main Takeaway:
“Make sure that you have done the basics as well to protect against the more opportunistic attacks and that you are not the easy prey...”
— Daniel DeSantos [15:31]

Key Segment Timestamps

Introduction to Hacktivist Motivations [00:10], [08:15]
Setting the Honeypot & Attack Discovery [03:01 - 03:30]
Attack Entry: Default Credentials & Exposure [05:05]
Telegram/Media as Signal for Incident Response [03:30]
Financialization Trend in Hacktivism [10:09]
Practical Defense Recommendations [12:02 - 14:44]
Main Takeaways for Defenders [15:02]
Where to Find Guest’s Work [17:02]

Resources & Contacts

Daniel DeSantos on LinkedIn: danielDeesantoscout
Email: daniel.dosantos@caut.com
Forescout Blog & Reports

Summary

This episode shines a light on how the threat landscape for OT and ICS has shifted from hacktivist “noise” to highly coordinated, geopolitically charged campaigns by Russian-aligned groups. Real incidents are often opportunistic, leveraging default credentials and exposed systems—especially in critical infrastructure like water utilities. Defenders are urged to prioritize visibility, cover security fundamentals, and recognize that not all threats come from the “elite” but from actors ready to capitalize on simple oversights. The evolution of hacktivism, potential connections to state entities, and the emergence of profit-seeking blur old security paradigms, demanding that organizations think holistically about their risks.

Loading summary

Transcript19 lines

[00:02]
A
You're listening to the Cyberwire Network powered by N2K.
[00:10]
B
If you go back to 2022, when Russia invaded Ukraine, most activist activity focused on defacements, distributed denials of service and so on, with the goal of sometimes spreading a political message, fighting for freedom of speech or rights on the Internet or things like that throughout the world. Right. That has rapidly changed after the war with these groups that are much more aligned to geopolitical interests and specifically in this case, pro Russian interests against Ukraine, against NATO, against the west in general. Right. So the motivation that we see with a lot of these groups, at least the main stated motivation, let's say, is to support the war effort of Russia to go against Ukraine and countries that are supporting Ukraine to, in some cases when they're targeting Ukraine directly to potentially support the war effort over there. But in many cases when they are targeting, for instance, our honeypot was located in the Netherlands, right. Which is a country that supports Ukraine. It's more about potentially instilling fear in people who are running critical infrastructure in Europe and the US and the West.
[01:26]
A
Hello and welcome to another episode of Data Security Decoded. I'm your host Caleb Tolan, and if this is your first time joining us, welcome to the show. Thanks for spending some time with us. Make sure you hit that subscribe button so you're notified when new episodes go live. And if you're already a subscriber, thanks for coming back and spending more of your time with us. Give us a rating, drop a comment below, let us know what you think about the show. This helps me know what you want to hear more of and it helps us reach more listeners just like you. Now today I had a conversation with Daniel DeSantos, the vice president of research at for Scout Technologies, and we discussed an incident that their team tracked via a honeypot which caught Russia aligned activist activity targeting a decoy water treatment plant. Get into it. Daniel, thank you so much for joining us today. Before we dive into the meat of the conversation, what is something that's not related to cyber that you're completely obsessed with lately? Mine's going to be stained glass. I'm kind of obsessed with it right now. I am collecting lamps, decor, all sorts of stuff that has stained glass. Ideally, one day I'm going to get something with the Tiffany style. I am realizing I'm a bit of a hoarder collector of right now and really, really enjoy it. So what's the thing that you're obsessed with lately that's not to do with cyber?
[02:43]
B
I've Been having some time lately to finally catch up on series and movies and things like that. And I've been obsessed with this series called 1883, which is kind of a prequel of Yellowstone. And it's basically, you know, about a western. So, you know, following westerns these days. It's really, really interesting.
[03:01]
A
Very nice, very nice. Well, for our listeners now they have a new Netflix recommendation. So to, to get into it, you are at for Scout Research, which is an organization that focuses on threat intelligence. And you recently released a report on a Russian hacktivist aligned group targeting OT and ICS environments. The way your team discovered this was by setting a honeypot out to catch threat actors to start. How did your team identify this attack? And once you discovered it and began to observe the threat actors behavior, what happened as you watched the attack happen?
[03:31]
B
Yeah, that's actually a very interesting question because the attack was somewhat fast. Right. It lasted only a couple of days when we actually noticed it first because it's a honeypot network. So it's not something that triggers all alarms and it's all hands on deck and we need to go and immediately do something about it. We let the attack happen so we can study the whole thing. We actually noticed it first when it was posted on Telegram. Usually these groups, these types of activist groups operate by announcing the attacks that they have done. Right. Claiming attacks, claiming their victims and posting it on Telegram is the social media of choice, let's say sometimes X and other platforms, but Telegram is really the one that they use the most. And we noticed in one of these groups that were emerging that we were looking at that they posted an attack on something that looked very familiar to us. So we looked at the honeypot that we ran and we were like, okay, this is, this was an attack that happened here, just happened yesterday. So let's reconstruct everything that happened. And interestingly, they actually posted a video of the actions that they did. And we could kind of compare the video that they posted, the actions that they had with the firsthand observations that we had behind the scenes to really reconstruct everything that was done and understand kind of what was going on behind the minds of the attackers as well. Right. As they were going through this kind of attack. Right.
[04:51]
A
And how these organizations, we can step out and talk about these hacktivist groups a little bit more broadly and this specific use case too. But what was the entry point and was it similar to other attacks that you've observed in this similar kind of fashion?
[05:06]
B
Yeah, so the entry point is something that we call HMI or Human Machine Interface, which in operational technology and industrial control systems is, as the name implies, is the kind of thing that humans use to interact with the machines. Right. So it's basically the graphical user interface, the things where you press the buttons to control the processes. In our case, specifically, since we were simulating a water treatment facility, it was a web application showing some tanks and those tanks were rising water levels. And then you could control some chemicals that go in and so on, and then the tanks would go up and down and all that. So that was the entry point. They basically saw that exposed on the Internet on purpose. We had exposed that and. And it had default credentials. Right. Which is something that we see often happening with exposed operational technology to this day. So something simple as admin.admin or admin 1234. And they basically managed to get in and from there launch the rest of the attack. Right. Exploit vulnerabilities and tamper with settings and so on and so on. But to answer to your question as well, yes, this is very similar to a lot of activities that we see from these types of groups where they are usually not necessarily focusing on one particular target, one particular organization that they need to attack. It's more like whatever they can find that is of interest, that is relevant, that is exposed on the Internet and that is easy to attack, will be attacked. Right. So that's most likely how they found our honeypot, by using tools such as Shodan Sense is one of those mass Internet scanning tools that show these exposed systems and then they just tried a default credential, default username and password managed to get in and from there they launched the rest of the attack. Interestingly, a couple of weeks after this attack, there was an alert from the Canadian government about similar types of attacks from hacktivist groups also hacking through HMIS and initial access via exposed devices. So this is something that is happening throughout the world and it's very similar the attack we caught with other things that we observe often.
[07:27]
A
Right. I want to loop back to something you mentioned about these organizations are targeting targets that are of interest to them and something that we've explored in previous episodes. We had one just a couple months ago with Morgan Adensky where we were talking about how China is pre positioning in US critical infrastructure and for some type of conflict that relates to China, Taiwan, and that's really their motivation for getting into these critical infrastructure systems. I would love to talk about the motivation for these Russian based hacker groups, even these hacktivist groups that you're talking about. What is their motivation behind this? Is it disruption? Is it espionage? Is it financial gain? Is it pre positioning for something kind of similar in terms of like what's happening with Ukraine and Russia in, in their conflict? What is the motivation behind these types of groups?
[08:16]
B
Yeah, it's a very interesting question. Different groups have somewhat, slightly different motivations, but there is obviously a common theme tying all of them together and it's a very changing and changing rapidly kind of ecosystem. Right. So if you go back to 2022, when Russia invaded Ukraine, most activist activity focused on defacements, distributed denials of service and so on, with the goal of sometimes spreading a political message, fighting for freedom of speech or rights on the Internet or things like that throughout the world. Right. That has rapidly changed after the war with these groups that are much more aligned to geopolitical interests and specifically in this case, pro Russian interests against Ukraine, against NATO, against the west in general. Right. So the motivation that we see with a lot of these groups, at least the main stated motivation, let's say, is to support the war effort of Russia to go against Ukraine and countries that are supporting Ukraine, in some cases when they're targeting Ukraine directly to potentially support the war effort over there. But in many cases when they are targeting, for instance, our honeypot was located in the Netherlands, which is a country that supports Ukraine. It's more about potentially instilling fear in people who are running critical infrastructure in Europe and the US and the west and so on. There is also a tendency nowadays for some of these groups to actually be much more involved with actual state activities. Right. Some of these groups are known to be thrones for state sponsored, really actors. So we've had the examples in the past of Cyber Avengers. We've had the example of the Cyber army of Russia Reborn. We've had the example of other groups that have been known to be aligned with actually state sponsored actors. And there is a third element in terms of motivation that is kind of emerging these days. As I said, it's kind of a fast moving landscape which seems to connect to financial gain as well, which is something that we wouldn't expect mostly from activists. We would usually expect that from cyber criminals. Right. Ransomware gangs and data leak groups and so on. But we do see more and more often when we are tracking some of these groups, chats on Telegram, the offers for, you know, selling data that was exfiltrated, or selling initial access into organizations, or selling new exploits and things like that, selling new ransomware services. So in many cases we are, you know, still scratching our heads and figuring out this, is this real? Is this potentially a scam? Are they actually trying to make money or just create confusion and so on? It's a very, like I said, an ecosystem that's evolving very fast. And the main motivation remains, you know, supporting state efforts from, from Russia. But it seems like some of these groups are branching out into other types of activities as well.
[11:19]
A
Right, right. And if it's confusing so much for the researchers and the threat intelligence community, like you imagine just how confusing it can be for the defenders that are, that are operating these systems too. So I'd love to kind of shift and focus on like, okay, we talked about the problem. It's obviously very rampant. What can organizations do about this? So there was a really great interview with a former senior security official that went out just, just a couple months ago. It was on 60 Minutes. And he was talking about how once these bad actors are in these environments, it's very difficult to root them out. So for the organizations that maybe are doing their threat hunting and threat detection and they're identifying someone in their systems, what can they do to start rooting out these attackers from those OT environments?
[12:03]
B
Yeah, I would like to start by trying to prevent them from getting there in the first place. Obviously, once they're in, it's all hands on deck and we need to respond and we need to root them out, as you said. But I think that really an activity that helps both in the prevention side and the proactive side and the reactive side, and that I always start with as the first recommendation, is increasing visibility on the network. What I mean by that is making sure that you can actually, from a central point of view, see all the assets that you have connected to your network, who they're communicating with, what vulnerabilities they have, what are the credentials that they have. Like I said, default credentials being used in a device is never a good idea. Once you have this increased visibility, then you can start proactively understanding what you can do to reduce risk and potentially decrease the likelihood of an attack happening, and then reactively understanding what is the actual compromise that has happened in your network. Because part of the reason why it's difficult to root out the attackers, as you mentioned, is that nowadays they're not only using the traditional endpoints for attacks anymore. They're not just, you know, getting into your Windows workstation. And then once you uninstall a malware, then the attacker is gone. Now, they will often get initial access from a networking equipment, then move to the Windows workstations then move to a domain controller, then move to IP cameras on your network or whatever else that might be that is unmanaged. Right. So there is always a place to hide in the network where if the defender doesn't have enough visibility, doesn't know what is actually going on, the attacker can start again from there and kind of recreate the infection. That's one of the reasons why it's kind of difficult to root out these actors once they are inside. And it's also why it's so relevant to make sure that you can see all the devices in the network and understand which of those will be potentially more likely to be entry points. So you can do something beforehand. Right. Obviously, we can go into specific recommendations once you have visibility, to not use default credentials, as I mentioned, or weak credentials or reused credentials that have been leaked in the past, patch devices, not expose them on the Internet, have network segmentation. All of those are relevant. And we could spend a whole podcast, a whole hour here discussing those. But it's really start with making sure that you have visibility into everything, which means don't just rely on the traditional, you know, endpoint detection response or your traditional agents on your Windows machine that are very relevant, you should have them, but you should not only rely on them for visibility.
[14:45]
A
Absolutely, absolutely. And for our listeners who are absorbing all of this and trying to figure out what they do about what this challenge, what is really like the one, two, maybe even three things that you really want them to walk away from this conversation, Understanding how they can address these threats. Anything else that you haven't already mentioned?
[15:03]
B
Yeah, no, no, for sure. So I think that one thing when I talk about this type of threat, the attacks that we capture, the attacks that we analyze and so on, one thing that I always like to leave people with is that attacks are not only the targeted, super sophisticated nation state attacks these days. Right. Obviously, people are very focused on talking about the Russian threat or the Chinese threat or whatever other threat might be targeting your network with sophisticated malware and unlimited budgets from nation states and all that. And all that is happening, and all that is scary and something you should worry about and protect against. But there is also the kind of attack that we just discussed, right. Which is much more opportunistic, much less targeted, and much more focused on just kind of spreading chaos. Right. And that is the hacktivist we mentioned. There is botnets, there is, you know, automated exploits out there, and so on and so on. A lot of this is happening kind of in the background. It's kind of the background noise of the Internet these days and it does affect critical infrastructure organizations. Right. So my main takeaway is pay attention to all the targeted stuff, all the fancy sophisticated malware out there. That's very relevant. But make sure that you have done the basics as well to protect against the more opportunistic attacks and that you are not the easy prey because that's the, that's kind of the point of the opportunistic attackers. Right. They will go after the easy prey and if they can get those, then, you know, it doesn't matter if they, if they can get also harder targets or not. Leave those for the state sponsored super sophisticated actors. So that's my main takeaway. Really pay attention to not just what sounds fancy and sophisticated, but the whole threat landscape.
[16:55]
A
Absolutely, absolutely. Well, Daniel, thank you for joining us. Where can folks find you and learn more about the amazing work that you and your team are doing?
[17:03]
B
Yeah, so you can find me on LinkedIn, danielDeesantoscout and you can email me as well, daniel.dosantoscout.com and just, you know, have a look at all the work that we're doing. We often publish reports, blogs. I post on LinkedIn from time to time. We have a newsletter. We have lots of ways that you can, you know, consume the research that we are doing, but also discuss things of interest and that we can, yeah, have a conversation.
[17:27]
A
Wonderful. Well, thank you again for joining us and until next time, thank you.
[17:31]
B
Caleb.
[17:40]
A
Thank you for spending some time with me today. If you like what you heard, please subscribe wherever you listen and leave us a review on either Apple Podcasts or Spotify. Your feedback really helps us understand what you want to hear more about. And if you want to reach out to me directly about the show, email me at data-security-decoded2k.com that's the letter N number two letter K dot com. Thank you, Rubrik, for sponsoring this podcast. The team at N2K includes senior producer Alice Carruth and executive producer Jennifer Ibin. Content strategy by Mayan Plout. Sound design by Elliot Peltzman. Audio mixing by Elliot Peltzman and Trey Hester. Video production support by Bridgie Cricket Wild and Sorrel Joppy. Thank you so much and see you next time.