Summary (Bottom Line Up Front)
Threat actor 185.103.110.159 conducted targeted reconnaissance and exploitation attempts against Industrial Control Systems (ICS) infrastructure between March 24-25, 2026, utilizing Modbus and S7comm protocols. The campaign demonstrates medium-severity threat activity with 76 recorded events focusing on critical industrial protocols. Network defenders should immediately review ICS network segmentation and implement enhanced monitoring for Modbus/S7comm traffic.
Activity Timeline
INITIAL REPORT2026-03-31T07:40:55Z
Source: Analyst Manual Entry
Threat actor 185.103.110.159 conducted targeted reconnaissance and exploitation attempts against Industrial Control Systems (ICS) infrastructure between March 24-25, 2026, utilizing Modbus and S7comm protocols. The campaign demonstrates medium-severity threat activity with 76 recorded events focusing on critical industrial protocols. Network defenders should immediately review ICS network segmentation and implement enhanced monitoring for Modbus/S7comm traffic.
Technical details
Actor conducted multi-protocol reconnaissance targeting industrial control systems over a 22-hour period from March 24 07:00 to March 25 05:00 UTC. Primary attack vectors included Modbus broadcast attacks on port 502 and S7comm COTP connection requests, indicating familiarity with industrial protocols. Activity maps to MITRE ATT&CK technique T1046 (Network Service Scanning) with observed payload including Modbus broadcast using Unit ID=0 and Function Code=90. The campaign targeted 4 unique destination ports across multiple industrial protocols including Modbus, S7comm, and RDP, suggesting systematic enumeration of industrial network services. Attack pattern analysis reveals 10 S7comm connection attempts and 1 Modbus broadcast attack, with unknown threat actor attribution and 15% probability of zero-day exploitation.
IOCs
IP:185.103.110.159
Recommendations
- Implement network segmentation to isolate ICS/SCADA systems from corporate networks and internet-facing infrastructure
- Deploy protocol-aware monitoring solutions capable of detecting anomalous Modbus and S7comm traffic patterns
- Block IP address 185.103.110.159 at network perimeters and review logs for similar industrial protocol scanning activity
- Conduct immediate inventory of exposed Modbus (port 502) and S7comm services accessible from untrusted networks
- Enable enhanced logging for industrial protocol communications and establish baseline traffic patterns for anomaly detection