167.94.138.194

Summary (Bottom Line Up Front)

Critical industrial control system (ICS) reconnaissance activity detected from IP 167.94.138.194 on March 10, 2026 at 18:00 UTC, targeting Modbus and S7comm protocols with broadcast enumeration techniques. This represents HIGH-severity threat activity consistent with advanced persistent threat (APT) reconnaissance operations against industrial infrastructure. Immediate defensive measures recommended for organizations operating ICS/SCADA environments.

HTTP Modbus S7comm TCP TCP/SYN TLS/1.0 auto

ICS_ATTACK

Activity Timeline

INITIAL REPORT2026-03-21T11:56:45Z

Source: Analyst Manual Entry

Technical details

Threat actor conducted focused 36-event attack campaign over one-hour window targeting industrial protocols including Modbus TCP and Siemens S7comm. Key attack patterns included Modbus Function Code 43 (Read Device Identification) with broadcast addressing for device enumeration and S7comm COTP connection requests for Siemens PLC reconnaissance. Activity maps to MITRE ATT&CK technique T0846 (Remote System Discovery) within the reconnaissance phase of the industrial attack kill chain. Primary IOC: 167.94.138.194 (no reverse DNS, unknown ASN, clean reputation scores suggesting operational security measures).

IOCs

IP:167.94.138.194

Recommendations

Implement network segmentation to isolate ICS/SCADA networks from corporate networks and internet-facing systems
Deploy industrial protocol monitoring capabilities to detect unauthorized Modbus and S7comm reconnaissance activities
Block IP 167.94.138.194 at network perimeters and review logs for any historical connections from this source
Audit and disable unnecessary industrial protocol broadcast functions where operationally feasible
Enhance monitoring for MITRE T0846 (Remote System Discovery) activities across industrial network segments