Summary (Bottom Line Up Front)
Threat actor at IP 162.142.125.121 conducted targeted reconnaissance against industrial control systems between March 6-10, 2026, using specialized ICS protocols including S7comm and Modbus to enumerate device information. This HIGH-severity activity represents active intelligence gathering against critical infrastructure with potential for follow-on attacks. Immediate ICS network monitoring and segmentation review is recommended.
Activity Timeline
UPDATE 12026-03-15T09:46:51Z
Source: Analyst Manual Entry
Threat actor at IP 162.142.125.121 conducted targeted reconnaissance against industrial control systems between March 6-10, 2026, using specialized ICS protocols including S7comm and Modbus to enumerate device information. This HIGH-severity activity represents active intelligence gathering against critical infrastructure with potential for follow-on attacks. Immediate ICS network monitoring and segmentation review is recommended.
New findings
Actor leveraged multiple ICS-specific protocols (S7comm, Modbus TCP, Oracle) across 39 attack events targeting 2 unique destination ports. Primary techniques included Modbus TCP Function Code 43 (Read Device Identification) with broadcast Unit ID to enumerate all network devices, S7comm COTP connection requests, and broadcast-based device discovery. Activity maps to MITRE ICS technique T0846 (Remote System Discovery) within the Reconnaissance kill chain phase. Key attack patterns identified: S7comm COTP connection requests (2 events), Modbus broadcast attacks (1 event), and Modbus FC43 device identification queries (1 event). Source IP shows no prior abuse history or VPN usage, suggesting dedicated infrastructure.
Recommendations
- Implement enhanced monitoring for ICS protocols (S7comm, Modbus TCP) focusing on broadcast traffic and device enumeration attempts
- Review network segmentation between IT/OT environments and restrict unnecessary cross-network communication
- Block IP 162.142.125.121 at perimeter firewalls and add to threat intelligence feeds
- Audit ICS device configurations to disable unnecessary identification services and limit broadcast responses
- Conduct immediate assessment of critical infrastructure assets for signs of unauthorized access or configuration changes
INITIAL REPORT2026-03-14T13:04:40Z
Source: Analyst Manual Entry
High-severity industrial control system reconnaissance activity observed from 162.142.125.121 between March 6-10, 2026. Actor conducted targeted enumeration of ICS infrastructure using Siemens S7 communication protocols and Modbus TCP broadcast attacks to identify connected industrial devices. Assessment indicates sophisticated threat actor with specific interest in critical infrastructure targeting.
Technical details
Actor utilized multiple industrial control system protocols including S7comm (Siemens Step 7 communication) and Modbus TCP for reconnaissance activities. Observed attack patterns included S7 COTP (Connection Oriented Transport Protocol) connection requests targeting Siemens PLCs, Modbus Function Code 43 (Read Device Identification) requests for device enumeration, and broadcast-based Modbus attacks using Unit ID 0xFF to query all devices on target networks simultaneously. Activity maps to MITRE ATT&CK technique T0846 (Remote System Discovery) within the ICS framework. Traffic analysis revealed targeting of 2 unique destination ports over HTTP, TCP, and specialized industrial protocols. No CVE exploitation attempts were observed; activity focused purely on reconnaissance and device identification.
IOCs
IP:162.142.125.121