What this article highlights is that while ICS attacks are typically believed to be mostly nation-state sponsored, the fact that a lone attacker was able to compromise the honeypot by installing backdoors and a toolset that allows RDP access into the environment is a sure sign that certain bad actors are looking to cash in once they’ve established a foothold into an ICS environment. 

The resale value on the black market is just as enticing to lone hackers who already have the tools and the skills to effectively carry out almost every step of the Cyber Attack Lifecycle, leaving the 'actions on objectives' to the highest bidder.