Summary (Bottom Line Up Front)
A US-based threat actor (152.32.148.140) conducted targeted attacks against industrial control systems and IoT infrastructure on March 10, 2026, employing Modbus protocol exploitation and MQTT reconnaissance techniques. The attacker demonstrates sophisticated knowledge of operational technology environments with a concentrated 3-minute attack window generating 84 malicious events. Immediate ICS/SCADA network segmentation and monitoring enhancement is recommended.
Activity Timeline
INITIAL REPORT2026-03-17T23:10:33Z
Source: Analyst Manual Entry
A US-based threat actor (152.32.148.140) conducted targeted attacks against industrial control systems and IoT infrastructure on March 10, 2026, employing Modbus protocol exploitation and MQTT reconnaissance techniques. The attacker demonstrates sophisticated knowledge of operational technology environments with a concentrated 3-minute attack window generating 84 malicious events. Immediate ICS/SCADA network segmentation and monitoring enhancement is recommended.
Technical details
Attack Profile: Highly focused campaign targeting industrial protocols including Modbus (Function Code 0x03 - Read Holding Registers) and MQTT connectivity probes. The attacker employed multiple protocols (HTTP, Java-RMI, Redis, TCP, TLS/1.2+) suggesting broad reconnaissance capabilities. Attack volume of 84 events within a 3-minute window (17:00-17:00 hours, March 10, 2026) indicates automated tooling with precision targeting.
Key Techniques: T0846 (Remote System Discovery) via Modbus broadcast attacks and holding register enumeration targeting unit ID 16. MQTT connection attempts suggest IoT device reconnaissance. Scanner activity with bot user-agent strings indicates broader network mapping efforts.
IOCs: Source IP 152.32.148.140 (ASNone, AbuseIPDB score 100/100), targeting port 9001 across all attack vectors.
IOCs
IP:152.32.148.140
COUNTRY:US
Recommendations
- Implement immediate network segmentation between IT and OT environments, blocking unauthorized access to Modbus (502) and MQTT (1883/8883) ports from external networks
- Deploy industrial protocol-aware monitoring solutions to detect anomalous Modbus function code usage and unauthorized MQTT connection attempts
- Conduct emergency audit of all internet-facing industrial control system interfaces and remove or properly secure any exposed HMI/SCADA systems
- Enable enhanced logging for all industrial protocol communications and establish baseline behavioral profiles for legitimate OT traffic
- Coordinate with industrial control system vendors to validate current firmware versions and apply available security patches for Modbus and MQTT implementations