150.107.38.251

Summary (Bottom Line Up Front)

Threat actor operating from IP 150.107.38.251 conducted targeted reconnaissance against industrial control systems using BACnet protocol exploitation on March 13, 2026. This represents a HIGH severity threat given the focus on critical infrastructure and the actor's 100/100 AbuseIPDB reputation score. Immediate defensive measures should be implemented to protect ICS/SCADA environments.

BACnet TCP TCP/SYN TLS TLS/1.0 TLS/1.2+ auto

ICS_ATTACK

Activity Timeline

INITIAL REPORT2026-03-14T17:43:16Z

Source: batch_hunting

Technical details

Source: 150.107.38.251 (AS135377 UCLOUD INFORMATION TECHNOLOGY, Los Angeles)
Activity Window: March 13, 2026, 17:00-18:00 UTC (4-hour campaign)
Attack Vector: BACnet read property requests targeting industrial control systems
Protocols Observed: BACnet, TCP, TLS 1.0/1.2+
Volume: 61 events across single destination port
MITRE ATT&CK: T1046 (Network Service Scanning), T1082 (System Information Discovery)
IOCs: 150.107.38.251, Ubuntu-based attack platform, SSH service (port 22) exposed
Threat Classification: ICS_ATTACK with medium confidence BACnet exploitation

IOCs

IP:150.107.38.251

ASN:135377

COUNTRY:US

Recommendations

Implement network segmentation to isolate BACnet-enabled devices from internet-facing infrastructure
Deploy protocol-aware monitoring for abnormal BACnet read property requests and unauthorized device enumeration
Block traffic from AS135377 (UCLOUD INFORMATION TECHNOLOGY) at perimeter firewalls pending further analysis
Conduct immediate audit of all Building Automation and Control Network (BACnet) device configurations and access controls
Enable enhanced logging for all ICS/SCADA communications and establish baseline traffic patterns for anomaly detection