Russian-aligned hacktivist groups are increasingly targeting industrial control systems and OT environments—and sometimes it’s shockingly easy. In this episode, Daniel dos Santos, VP of Research at Forescout, walks through how his team used a honeypot to observe an attack against a simulated water treatment facility. We explore attacker motivations, common entry points, and what defenders must prioritize now.

What You’ll Learn

• How honeypots can uncover real-world hacktivist tactics and behaviors

• Why exposed HMIs remain one of the weakest entry points in OT environments

• How Telegram has become a primary platform for hacktivist attack claims

• The evolving motivations behind Russian-aligned hacktivist groups

• Why visibility across all networked devices is critical to defense

• How opportunistic attacks differ from targeted nation-state operations

• Practical steps to avoid becoming “easy prey” for attackers

  
  

  Episode Highlights

  00:02:30 – How the Attack Was Discovered Spotting the honeypot activity through Telegram claims
  00:04:00 – The Entry Point Explained Default credentials and exposed HMIs
  00:06:45 – Hacktivist Motivation Shift From activism to geopolitics and profit
  00:10:50 – Why OT Attacks Are Hard to Eradicate Hidden devices and lateral movement

  00:14:20 – The Core Defensive Takeaway Don’t ignore opportunistic threats

  
  

  Episode Resources

  Forescout Research Reports
  Telegram (hacktivist communications platform)
  Canadian Government OT Security Alert
  

  Shodan (internet-exposed asset scanning tool)