National Cyber Warfare Foundation (NCWF)

TwoNet
0 user ratings		2025-10-09 17:58:21
blscott

TwoNet as a Pro‑Russian Hacktivist / Threat Actor

Background & Emergence

  • TwoNet surfaced publicly in early 2025 as a new pro‑Russian hacktivist or cyber threat actor group. The Record from Recorded Future

  • The group operates in a style similar to other pro‑Kremlin hacktivist actors (for example, KillNet, NoName057(16), XakNet Team), using tactics such as DDoS attacks, website defacements, data leaks, and targeting critical infrastructure. The Record from Recorded Future+1

  • It is believed to have around 40 members involved in hacking, software development, and open‑source intelligence (OSINT) gathering. The Record from Recorded Future

Tactics & Recent Activity


  • DDoS & Defacements
    Initially, TwoNet appeared to rely heavily on distributed denial-of-service (DDoS) operations and defacements of web services in countries aligned with Ukraine or Western interests. The Record from Recorded Future+1

  • Pivot to Infrastructure & OT/ICS Attacks
    Over time, TwoNet has expanded its ambitions. In 2025, it claimed to target critical infrastructure systems, including water treatment facilities (though incidents have sometimes been honeypots used by cybersecurity researchers to observe attacker behavior). BleepingComputer
    In one observed case, after gaining initial access, the group manipulated human‑machine interface (HMI) layers, disabled logging and alarms, and altered setpoints in programmable logic controllers (PLCs). BleepingComputer

  • Propaganda & Recruitment
    TwoNet leverages Telegram channels (a common medium among hacktivist and cybercrime groups) to announce claimed hacks, release data, recruit insiders, and encourage targeting suggestions. The Record from Recorded Future
    They have also claimed alliances with other pro‑Russian actors. X (formerly Twitter)+1

Risks & Implications

  • Blurring lines between hacktivism and cybercrime
    TwoNet’s operations indicate a mixing of ideologically motivated hacking and financially or strategically motivated intrusion. Their public channels reportedly advertise services such as “hacker-for-hire,” ransomware-as-a-service, or initial access to industrial systems. BleepingComputer

  • Increased threat to critical infrastructure
    Their shift toward operational technology (OT) and industrial control systems (ICS) engagement is particularly concerning, as these systems often have more severe consequences if disrupted (e.g. utility outages, physical damage). BleepingComputer

  • Tactical evolution & agility
    TwoNet demonstrates that threat actors can pivot quickly — from DDoS / web attacks into deeper system compromise, reconnaissance, and control. This underscores that organizations must defend beyond just web infrastructure.

Hacktivist / Threat Actor Side

  • Will TwoNet increasingly target real infrastructure (power, water, transport) rather than primarily websites? Recent campaigns suggest yes. BleepingComputer

  • Will they develop more persistent, stealthy intrusion techniques beyond overt defacements and DDoS?

  • The possibility of alliances or mergers with other pro-Russian hacking groups may broaden their operational toolkit and geographic reach.



Comments
new comment
Nobody has commented yet. Will you be the first?
  




This link is from a restricted area of the forums.
Forum


Copyright 2012 through 2025 - National Cyber Warfare Foundation - All rights reserved worldwide.