109.95.35.214

Summary (Bottom Line Up Front)

External threat actor at 109.95.35.214 (Ukraine/AS31725) conducted sustained SMB reconnaissance against network infrastructure over 10 days, generating 252 security events targeting SMB services. Assessed as MEDIUM threat level with 85% confidence due to legacy SMB1 protocol usage indicating potential vulnerability scanning or exploitation attempts. Immediate action required to block external SMB access and audit network exposure.

SMB TCP TCP/SYN auto smb

SMB

Activity Timeline

INITIAL REPORT2026-03-23T07:10:51Z

Source: Analyst Manual Entry

Technical details

Threat actor leveraged SMB protocol exclusively across 252 attack events from 2026-02-28 13:00 to 2026-03-10 16:00. Primary attack vectors included SMB1 protocol negotiation attempts (30 instances) and legacy SMB1 usage patterns (18 instances) consistent with MITRE T1046 (Network Service Scanning) reconnaissance techniques. Activity originated from ISP Shtorm LTD infrastructure in Ukraine with no current AbuseIPDB reputation indicators. Attack pattern analysis reveals systematic targeting of 2 unique destination ports, predominantly TCP/445, with sustained engagement suggesting automated scanning or targeted reconnaissance operations.

IOCs

IP:109.95.35.214

ASN:31725

COUNTRY:UA

Recommendations

Block inbound SMB traffic (TCP/445, TCP/139) at perimeter firewalls from external networks immediately
Conduct network audit to identify and remediate any systems with external SMB exposure
Disable SMB1 protocol across all Windows systems and enable SMB signing requirements
Implement network segmentation to isolate file sharing services from internet-facing infrastructure
Monitor for lateral movement indicators following SMB reconnaissance attempts using endpoint detection capabilities