Summary (Bottom Line Up Front)
High-severity reconnaissance campaign detected from IP 18.218.118.203 targeting industrial control systems using Modbus broadcast enumeration techniques alongside multi-protocol scanning activities from February 12 to March 10, 2026. The attacker demonstrated advanced capabilities across OT/IT environments with 379 recorded events spanning ICS protocols, enterprise services, and cloud infrastructure. Immediate implementation of network segmentation and Modbus traffic monitoring is recommended.
Activity Timeline
UPDATE 22026-03-10T17:17:47Z
Source: Analyst Manual Entry
High-severity reconnaissance campaign detected from IP 18.218.118.203 targeting industrial control systems using Modbus broadcast enumeration techniques alongside multi-protocol scanning activities from February 12 to March 10, 2026. The attacker demonstrated advanced capabilities across OT/IT environments with 379 recorded events spanning ICS protocols, enterprise services, and cloud infrastructure. Immediate implementation of network segmentation and Modbus traffic monitoring is recommended.
New findings
Attack Vector: Multi-protocol reconnaissance campaign leveraging Modbus Function Code 43 (Read Device ID) with broadcast addressing for ICS device enumeration. Protocols Observed: HTTP/HTTPS, Modbus, SSH, SMB, TLS 1.0, Oracle, and TCP-based services across 10 unique destination ports. Primary Techniques: MITRE T0846 (Remote System Discovery) with focus on modbus_broadcast_attack and modbus_fc43_read_device_id patterns. Attack Scope: 379 events over 26-day period (February 12 14:00 to March 10 14:00 UTC) including SMBv1 exploitation attempts, Kubernetes dashboard access, and FortiGate reconnaissance. Key IOC: 18.218.118.203 (no VPN/proxy indicators detected).
Recommendations
- Implement network segmentation between IT and OT environments to prevent lateral movement from compromised enterprise systems to industrial control networks
- Deploy Modbus-aware monitoring solutions to detect Function Code 43 broadcast queries and other anomalous industrial protocol communications
- Block or restrict SMBv1 protocol usage across the network and patch systems vulnerable to legacy SMB exploits
- Secure Kubernetes dashboards with proper authentication and restrict access to authorized personnel only
- Monitor and log all connections to critical infrastructure management interfaces including FortiGate and other network appliances
UPDATE 12026-03-10T12:12:23Z
Source: Analyst Manual Entry
IP address 18.218.118.203 (Amazon AWS infrastructure) conducted a sustained 25-day campaign targeting industrial control systems, network infrastructure, and cloud platforms with 379 recorded events between February 12-March 9, 2026. The threat actor demonstrates advanced capabilities across multiple attack vectors including Modbus/ICS protocols, SMB lateral movement, and Kubernetes exploitation, indicating HIGH threat level. Immediate defensive measures recommended for organizations operating industrial control systems and hybrid cloud environments.
New findings
The threat actor leveraged Amazon AWS infrastructure to conduct reconnaissance and exploitation attempts across diverse protocols including HTTP/HTTPS, Modbus, SSH, TLS, SMB, and Oracle services. Primary attack techniques focused on industrial control system enumeration via Modbus broadcast attacks and device identification queries (Function Code 43), SMBv1 exploitation for potential lateral movement, and Kubernetes dashboard access attempts. Attack patterns align with MITRE ATT&CK techniques T1046 (Network Service Scanning), T1021.002 (SMB/Windows Admin Shares), and T1613 (Container and Resource Discovery). The 100/100 AbuseIPDB reputation score and sustained 25-day campaign duration indicate coordinated malicious activity rather than automated scanning.
Recommendations
- Block IP address 18.218.118.203 and monitor for additional AWS-hosted infrastructure exhibiting similar multi-protocol attack patterns
- Implement network segmentation to isolate industrial control systems from corporate networks and restrict Modbus protocol access to authorized systems only
- Disable SMBv1 protocol across all Windows systems and enable SMB signing to prevent lateral movement attempts
- Secure Kubernetes dashboards with proper authentication and restrict access to management interfaces from untrusted networks
- Deploy enhanced monitoring for Modbus Function Code 43 (Read Device Identification) requests and other ICS-specific reconnaissance activities
INITIAL REPORT2026-03-10T12:06:10Z
Source: Analyst Manual Entry
Malicious activity detected from 18.218.118.203 (US, AS16509). 371 events observed across HTTP, Modbus, SSH, TCP, TCP/SYN. AI verdict: UNKNOWN.
Technical details
Protocols: HTTP, Modbus, SSH, TCP, TCP/SYN, TLS, TLS/1.0, Unknown, auto, https, modbus, oracle, smb
Attack types: FORTI_RECON, ICS_ATTACK, K8S_ATTACK, MODBUS, SMB
Unique destination ports: 10
Active window: 2026-02-12 13:56:11.463103 to 2026-03-09 12:44:18.388068
Top patterns: modbus_broadcast_attack, modbus_fc43_read_device_id, smb_smb1_usage, k8s_dashboard_access, modbus_broadcast_binary
IOCs
IP:18.218.118.203
ASN:16509
COUNTRY:US
Recommendations
- Block 18.218.118.203 at perimeter firewall
- Monitor other traffic from AS16509
- Review correlated attacker profiles for campaign links