Summary (Bottom Line Up Front)
A sophisticated threat actor operating from IP 109.105.209.17 (Zenlayer Inc/AS21859) conducted 75 targeted attacks against industrial control systems between March 10-12, 2026, utilizing Siemens S7 communication protocols. The attacker demonstrates advanced capabilities with a perfect AbuseIPDB maliciousness score and appears to be conducting reconnaissance or exploitation of SCADA/ICS environments. Immediate defensive measures are recommended for organizations operating industrial control systems.
Activity Timeline
UPDATE 12026-03-15T09:04:30Z
Source: Analyst Manual Entry
A sophisticated threat actor operating from IP 109.105.209.17 (Zenlayer Inc/AS21859) conducted 75 targeted attacks against industrial control systems between March 10-12, 2026, utilizing Siemens S7 communication protocols. The attacker demonstrates advanced capabilities with a perfect AbuseIPDB maliciousness score and appears to be conducting reconnaissance or exploitation of SCADA/ICS environments. Immediate defensive measures are recommended for organizations operating industrial control systems.
New findings
The threat actor leveraged multiple protocols including S7comm, TLS 1.0, and HTTPS to conduct ICS-focused attacks over a 3-day period. Primary attack vector involved S7comm COTP (Connection Oriented Transport Protocol) connection requests targeting industrial systems, with activity concentrated across 2 unique destination ports. The attack pattern aligns with MITRE ATT&CK techniques T1190 (Exploit Public-Facing Application) and T1046 (Network Service Scanning) within ICS environments. Key IOC: 109.105.209.17 with no reverse DNS resolution, suggesting operational security measures by the attacker.
Recommendations
- Block IP 109.105.209.17 at network perimeters and review logs for any successful connections from this source
- Implement enhanced monitoring for S7comm protocol traffic and unusual COTP connection requests on industrial networks
- Audit and restrict access to ICS/SCADA systems, ensuring proper network segmentation between IT and OT environments
- Review firewall rules for ports commonly used by industrial protocols (102, 502, 2404) and implement strict access controls
- Coordinate with industrial system vendors to ensure latest security patches are applied and conduct threat hunting for similar S7comm-based reconnaissance activity
INITIAL REPORT2026-03-14T17:50:20Z
Source: batch_hunting
Threat actor at IP 109.105.209.17 conducted 75 targeted attacks against industrial control systems using Siemens S7 communication protocols between March 10-12, 2026. Assessment indicates CRITICAL threat level consistent with sophisticated state-sponsored activity. Immediate hardening of ICS/SCADA networks and enhanced monitoring of S7comm traffic is recommended.
Technical details
- Attack Vector: S7comm COTP connection requests targeting industrial control systems
- Protocols Observed: S7comm, TLS 1.0, HTTPS with custom TLS handshakes
- Attack Volume: 75 events over 54-hour period (March 10 09:00 - March 12 15:00 UTC)
- MITRE ATT&CK Mapping: T1190 (Exploit Public-Facing Application), T1046 (Network Service Scanning)
- Threat Indicators: AbuseIPDB score 100/100, no legitimate reverse DNS, targeting only 2 destination ports
- IOCs: 109.105.209.17 (US-based infrastructure, ASN unavailable)
IOCs
IP:109.105.209.17
COUNTRY:US
Recommendations
- Immediately block IP 109.105.209.17 at network perimeter and review logs for any successful S7comm connections
- Implement network segmentation to isolate ICS/SCADA systems from corporate networks and internet-facing services
- Deploy enhanced monitoring for S7comm protocol anomalies and unauthorized COTP connection attempts
- Conduct emergency review of all Siemens PLC configurations and access controls within your industrial networks
- Coordinate with relevant CISA/ICS-CERT for potential attribution and additional threat intelligence sharing