160.119.76.49

Summary (Bottom Line Up Front)

A Netherlands-based IP address (160.119.76.49) conducted targeted reconnaissance against industrial control systems and IoT infrastructure on March 15, 2026, between 14:00-17:00 UTC. The activity included MQTT broker scanning and S7comm protocol probes, indicating potential targeting of critical infrastructure with medium threat severity. Immediate blocking and enhanced ICS monitoring are recommended.

RDP S7comm TCP TCP/SYN auto mqtt smtp
ICS_ATTACK
Activity Timeline
UPDATE 22026-03-17T23:28:45Z
Source: Analyst Manual Entry
A Netherlands-based IP address (160.119.76.49) conducted targeted reconnaissance against industrial control systems and IoT infrastructure on March 15, 2026, between 14:00-17:00 UTC. The activity included MQTT broker scanning and S7comm protocol probes, indicating potential targeting of critical infrastructure with medium threat severity. Immediate blocking and enhanced ICS monitoring are recommended.
New findings
Attack Vector: Multi-protocol reconnaissance targeting industrial systems
Protocols Observed: S7comm, MQTT, RDP, SMTP, TCP SYN scanning
MITRE Technique: T1046 (Network Service Scanning)
Kill Chain Phase: Reconnaissance
Volume: 53 events across 11 unique destination ports over 4-hour window
Key IOCs: 160.119.76.49 (AS7489 HostUS Solutions LLC), S7comm COTP connection requests, MQTT port 1883 scanning
Infrastructure: Linux-based system with SSH (port 22) exposed, no reverse DNS resolution
Recommendations
  • Block IP address 160.119.76.49 at network perimeter and implement ASN-level monitoring for AS7489
  • Deploy enhanced logging and alerting for S7comm and MQTT protocols on industrial network segments
  • Conduct immediate audit of exposed ICS/SCADA systems and implement network segmentation if not already in place
  • Enable behavioral monitoring for unusual industrial protocol traffic patterns and unauthorized MQTT broker access attempts
  • Review and harden authentication mechanisms for all industrial control systems and IoT devices
UPDATE 12026-03-17T13:39:31Z
Source: Analyst Manual Entry
External threat actor 160.119.76.49 conducted targeted reconnaissance against industrial control systems using Siemens S7comm protocol communications on March 15, 2026. This HIGH confidence threat demonstrates sophisticated ICS/SCADA targeting capabilities with potential APT characteristics. Immediate review of ICS network segmentation and S7comm protocol monitoring is recommended.
New findings
  • Source: 160.119.76.49 (AS7489 HostUS Solutions LLC, Netherlands)
  • Activity Window: March 15, 2026, 14:00-17:00 UTC (53 events)
  • Protocols Observed: S7comm, BACnet, EtherNet/IP, RDP, MQTT, SMTP
  • Primary Attack Vector: S7comm COTP connection establishment attempts
  • MITRE Technique: T0846 (Remote System Discovery)
  • Kill Chain Phase: Reconnaissance
  • Threat Indicators: AbuseIPDB score 100/100, APT candidate profile
  • Target Scope: 13 unique destination ports across multiple ICS protocols
Recommendations
  • Implement enhanced monitoring for S7comm, BACnet, and EtherNet/IP protocols on non-standard ports
  • Review and strengthen network segmentation between IT and OT environments
  • Deploy ICS-specific intrusion detection systems with protocol-aware inspection capabilities
  • Conduct immediate audit of exposed industrial control system interfaces and services
  • Block source IP 160.119.76.49 and monitor for related infrastructure pivoting attempts
INITIAL REPORT2026-03-17T06:40:57Z
Source: Analyst Manual Entry
Threat actor operating from IP 160.119.76.49 (Netherlands/HostUS Solutions LLC) conducted targeted reconnaissance against industrial control systems using legitimate Siemens S7 protocol communications on March 15, 2026. This HIGH confidence threat demonstrates specific interest in ICS/SCADA environments and represents potential precursor activity to operational technology attacks. Immediate review of ICS network segmentation and monitoring capabilities is recommended.
Technical details
The threat actor generated 53 events over a 4-hour period (14:00-18:00 UTC) targeting multiple industrial protocols including S7comm, BACnet, EtherNet/IP, and MQTT across 13 unique destination ports. Primary attack pattern involved S7comm COTP connection establishment attempts, mapped to MITRE ATT&CK technique T0846 (Remote System Discovery). The source IP maintains a maximum AbuseIPDB reputation score (100/100) and operates from ASN AS7489 with no legitimate reverse DNS resolution. Attack classification centers on ICS_ATTACK methodology with medium-severity S7comm COTP connection requests as the predominant vector.
IOCs
IP:160.119.76.49
ASN:7489
COUNTRY:NL
Recommendations
  • Implement immediate blocking of IP 160.119.76.49 and monitor for additional reconnaissance from ASN AS7489 (HostUS Solutions LLC)
  • Review and strengthen network segmentation between IT and OT environments, ensuring industrial protocols are not accessible from external networks
  • Deploy enhanced monitoring for S7comm, BACnet, EtherNet/IP, and MQTT protocol anomalies, particularly connection attempts on non-standard ports
  • Conduct security assessment of all Siemens S7-compatible devices and verify latest firmware/security patches are applied
  • Establish baseline traffic patterns for industrial protocols to improve detection of future reconnaissance activities
Threat Assessment
Threat Level CRITICAL
AI Verdict MEDIUM
Confidence 75%
Total Events 43
AbuseIPDB 100/100
Indicators of Compromise
ip 160.119.76.49
asn 7489
country NL