160.119.76.24

Summary (Bottom Line Up Front)

Threat actor 160.119.76.24 conducted comprehensive reconnaissance against industrial control systems and enterprise services on April 24, 2026, targeting multiple ICS/SCADA protocols including Modbus, S7comm, DNP3, and EtherNet/IP alongside traditional IT services. Despite the broad protocol coverage suggesting sophisticated industrial targeting capabilities, this activity is assessed as LOW severity due to limited scope and reconnaissance-only behavior. Network defenders should monitor for escalation to active exploitation attempts against identified ICS assets.

BACnet DNP3 ENIP EtherNet/IP HTTP IEC-104 IEC104 LDAP MODBUS MQTT Modbus ORACLE Oracle/TNS RDP S7COMM S7comm TCP TCP/SYN TLS TLS/1.0 http https https_tls_handshake
ANOMALY PROTO_ABUSE MQTT_PROBE MODBUS_RECON ICS_RECON
Activity Timeline
INITIAL REPORT2026-04-24T15:46:58Z
Source: Analyst Manual Entry
Threat actor 160.119.76.24 conducted comprehensive reconnaissance against industrial control systems and enterprise services on April 24, 2026, targeting multiple ICS/SCADA protocols including Modbus, S7comm, DNP3, and EtherNet/IP alongside traditional IT services. Despite the broad protocol coverage suggesting sophisticated industrial targeting capabilities, this activity is assessed as LOW severity due to limited scope and reconnaissance-only behavior. Network defenders should monitor for escalation to active exploitation attempts against identified ICS assets.
Technical details
The attacker conducted 342 reconnaissance events over a 3-hour window (09:00-12:00 UTC) from Netherlands-based infrastructure (AS7489 HostUS Solutions). Primary attack vectors included ICS protocol enumeration (Modbus device identification, EtherNet/IP ListIdentity requests, S7comm probes), enterprise service discovery (LDAP root DSE queries, Oracle TNS connection attempts), and IoT protocol reconnaissance (MQTT broker probing). Activity maps to MITRE ATT&CK technique T1087.002 (Account Discovery: Domain Account) within the Reconnaissance phase. Key IOC: 160.119.76.24 with AbuseIPDB reputation score 100/100, targeting standard service ports with Linux-based scanning infrastructure.
IOCs
IP:160.119.76.24
ASN:7489
COUNTRY:NL
Recommendations
  • Implement enhanced monitoring for ICS protocol anomalies, particularly unauthorized Modbus, DNP3, S7comm, and EtherNet/IP communications on operational technology networks
  • Review network segmentation between IT and OT environments to prevent lateral movement from compromised enterprise services to industrial control systems
  • Deploy protocol-aware detection rules for industrial network traffic to identify reconnaissance attempts against SCADA/HMI systems
  • Validate security configurations for MQTT brokers, Oracle databases, and LDAP services that may have been enumerated during this reconnaissance phase
  • Consider blocking traffic from AS7489 (HostUS Solutions) if not required for legitimate business operations, given the hosting provider's association with malicious scanning activity
Threat Assessment
Threat Level LOW
AI Verdict LOW
Confidence 85%
Total Events 342
AbuseIPDB 100/100
Indicators of Compromise
ip 160.119.76.24
asn 7489
country NL
Captured Payloads (2)
HIGH ANOMALY TCP:1521 
ET SCAN Suspicious inbound to Oracle SQL port 1521
MEDIUM PROTO_ABUSE TCP:2200 
SURICATA Applayer Detect protocol only one direction