Summary (Bottom Line Up Front)
Threat actors from Bangladesh (103.159.218.198) conducted 982 protocol confusion attacks between February 16-17, 2026, targeting Modbus TCP infrastructure with SMB negotiation requests. This HIGH-severity reconnaissance activity indicates potential targeting of Windows-based HMI systems in industrial environments. Immediate network segmentation and protocol validation controls are recommended.
Activity Timeline
INITIAL REPORT2026-03-17T13:41:01Z
Source: Analyst Manual Entry
Threat actors from Bangladesh (103.159.218.198) conducted 982 protocol confusion attacks between February 16-17, 2026, targeting Modbus TCP infrastructure with SMB negotiation requests. This HIGH-severity reconnaissance activity indicates potential targeting of Windows-based HMI systems in industrial environments. Immediate network segmentation and protocol validation controls are recommended.
Technical details
- Attack Vector: Protocol confusion using SMB1 negotiation against Modbus TCP ports
- Volume: 982 events over 32-hour period (Feb 16 04:00 - Feb 17 12:00 UTC)
- Source: 103.159.218.198 (AS141474, Bangladesh) - AbuseIPDB score 92/100
- MITRE Technique: T1190 (Exploit Public-Facing Application)
- Kill Chain Phase: Reconnaissance
- Primary Pattern: SMB1 protocol usage (912 hits, medium severity)
- Target Profile: Industrial control systems, potentially Windows-based HMI platforms
- Risk Factors: Deprecated SMB1 protocol usage, high persistence, ICS targeting
IOCs
IP:103.159.218.198
ASN:141474
COUNTRY:BD
Recommendations
- Implement strict protocol validation at network boundaries to prevent protocol confusion attacks
- Block SMB traffic (ports 445, 139) from reaching Modbus TCP infrastructure (port 502)
- Deploy network segmentation between IT and OT environments with application-layer inspection
- Monitor for SMB1 usage across industrial networks and disable where operationally feasible
- Add 103.159.218.198 and AS141474 netblocks to threat intelligence feeds for proactive blocking