Russian-aligned hacktivist groups are increasingly targeting industrial control systems and OT environments—and sometimes it’s shockingly easy. In this episode, Daniel dos Santos, VP of Research at Forescout, walks through how his team used a honeypot to observe an attack against a simulated water treatment facility. We explore attacker motivations, common entry points, and what defenders must prioritize now.

What You’ll Learn

How honeypots can uncover real-world hacktivist tactics and behaviors

Why exposed HMIs remain one of the weakest entry points in OT environments

How Telegram has become a primary platform for hacktivist attack claims

The evolving motivations behind Russian-aligned hacktivist groups

Why visibility across all networked devices is critical to defense

How opportunistic attacks differ from targeted nation-state operations

Practical steps to avoid becoming “easy prey” for attackers

Episode Highlights

00:02:30 – How the Attack Was Discovered Spotting the honeypot activity through Telegram claims
00:04:00 – The Entry Point Explained Default credentials and exposed HMIs
00:06:45 – Hacktivist Motivation Shift From activism to geopolitics and profit
00:10:50 – Why OT Attacks Are Hard to Eradicate Hidden devices and lateral movement

00:14:20 – The Core Defensive Takeaway Don’t ignore opportunistic threats

Episode Resources

Forescout Research Reports
Telegram (hacktivist communications platform)
Canadian Government OT Security Alert

Shodan (internet-exposed asset scanning tool)