Summary (Bottom Line Up Front)
Threat actor operating from IP 167.94.146.58 conducted targeted reconnaissance against industrial control systems over a 21-day period, employing Siemens S7comm and Modbus protocols to probe critical infrastructure. The activity represents a MEDIUM threat level with potential for escalation to operational disruption. Organizations operating ICS/SCADA environments should immediately review network segmentation and implement enhanced monitoring for industrial protocols.
Activity Timeline
INITIAL REPORT2026-03-14T17:53:17Z
Source: batch_hunting
Threat actor operating from IP 167.94.146.58 conducted targeted reconnaissance against industrial control systems over a 21-day period, employing Siemens S7comm and Modbus protocols to probe critical infrastructure. The activity represents a MEDIUM threat level with potential for escalation to operational disruption. Organizations operating ICS/SCADA environments should immediately review network segmentation and implement enhanced monitoring for industrial protocols.
Technical details
The threat actor demonstrated sophisticated knowledge of industrial protocols, specifically targeting Siemens S7 PLCs via S7comm Connection Oriented Transport Protocol (COTP) connection requests and Modbus devices through broadcast attacks and device identification queries (Function Code 43). Attack patterns included automated scanning behavior consistent with Censys infrastructure mapping and bot-like user agent strings. The 38 recorded events occurred between February 19, 2026 22:00 and March 12, 2026 02:00, indicating sustained reconnaissance operations. Key protocols observed: HTTP, Modbus, S7comm, TLS/1.0. MITRE ATT&CK mappings include T1046 (Network Service Scanning) and T1082 (System Information Discovery). Primary IOC: 167.94.146.58.
IOCs
IP:167.94.146.58
Recommendations
- Implement network segmentation to isolate ICS/SCADA networks from corporate IT infrastructure and internet-facing systems
- Deploy industrial protocol-aware monitoring solutions capable of detecting anomalous S7comm and Modbus communications
- Configure firewalls to block unauthorized access to industrial protocol ports (102/TCP for S7comm, 502/TCP for Modbus)
- Review and harden HMI and engineering workstation configurations to prevent unauthorized protocol communications
- Establish baseline traffic patterns for industrial networks to identify future reconnaissance activities