Summary (Bottom Line Up Front)
External IP 109.105.209.32 conducted sustained reconnaissance against industrial control systems over a 25-day period from March 14-April 8, 2026, targeting MODBUS protocols and other ICS infrastructure. This represents a MEDIUM threat with 85% confidence, indicating potential preparation for operational technology (OT) network compromise. Organizations operating ICS/SCADA environments should immediately review network segmentation and disable unnecessary industrial protocol exposure. ##
Activity Timeline
INITIAL REPORT2026-04-08T19:18:06Z
Source: Analyst Manual Entry
External IP 109.105.209.32 conducted sustained reconnaissance against industrial control systems over a 25-day period from March 14-April 8, 2026, targeting MODBUS protocols and other ICS infrastructure. This represents a MEDIUM threat with 85% confidence, indicating potential preparation for operational technology (OT) network compromise. Organizations operating ICS/SCADA environments should immediately review network segmentation and disable unnecessary industrial protocol exposure.
Technical details
Attack Profile: 72 events observed targeting industrial protocols including MODBUS reconnaissance and ICS-specific attack patterns (FC_90). Primary technique identified as T1046 (Network Service Scanning) during reconnaissance phase of kill chain. Traffic observed across HTTP, HTTPS, TLS 1.0, TCP, and MODBUS protocols targeting 4 unique destination ports. Attack patterns include 15 instances of ICS_ATTACK/FC_90 classification and 3 instances of MODBUS device identification queries. IOCs: 109.105.209.32 (source IP), activity timeframe March 14, 2026 16:00 - April 8, 2026 07:00 UTC.
IOCs
IP:109.105.209.32
Recommendations
- Implement network segmentation to isolate OT/ICS networks from internet-facing infrastructure and restrict MODBUS protocol access to authorized systems only
- Deploy industrial protocol-aware monitoring solutions to detect unauthorized MODBUS queries and function code anomalies in operational technology environments
- Conduct immediate inventory of internet-exposed industrial control systems and disable unnecessary remote access services on critical infrastructure
- Review firewall rules to block traffic from 109.105.209.32 and monitor for similar reconnaissance patterns targeting industrial protocols
- Establish baseline behavioral profiles for legitimate MODBUS communications to improve detection of unauthorized industrial network reconnaissance