13.89.125.30

Summary (Bottom Line Up Front)

Malicious actor at IP 13.89.125.30 conducted targeted reconnaissance against industrial control systems using Modbus protocol attacks on March 5, 2026. The activity demonstrates medium-severity threat behavior focused on device identification and potential system mapping of critical infrastructure. Immediate defensive measures recommended for organizations operating ICS/SCADA environments.

Modbus TCP TCP/SYN modbus

ICS_ATTACK

Activity Timeline

INITIAL REPORT2026-03-17T23:24:41Z

Source: Analyst Manual Entry

Technical details

Attack Vector: Modbus protocol exploitation targeting port 502/TCP

Volume: 21 attack events over 2-hour window (06:00-08:00 UTC)

Techniques Observed:

Modbus broadcast attacks for network discovery
Function Code 43 (0x2B) Read Device Identification requests
Unit identifier 0 targeting (broadcast/gateway devices)

MITRE ATT&CK Mappings:

T0846: Remote System Discovery
T0842: Network Service Scanning

Indicators of Compromise:

Source IP: 13.89.125.30 (US-based, AbuseIPDB score 100/100)
Target Protocol: Modbus (502/TCP)
Payload Pattern: FC=0x2B Read Device ID requests

IOCs

IP:13.89.125.30

COUNTRY:US

Recommendations

Implement network segmentation to isolate ICS/SCADA networks from corporate networks and internet access
Deploy protocol-aware firewalls with Modbus inspection capabilities to filter unauthorized function codes
Enable comprehensive logging for all Modbus communications and establish baseline traffic patterns
Block traffic from 13.89.125.30 at network perimeter and review logs for similar reconnaissance patterns
Conduct immediate asset inventory of Modbus-enabled devices and verify proper authentication configurations

medium ICS_ATTACK modbus:502

T0846 Read Device ID FC=0x2B unit=0