Summary (Bottom Line Up Front)
Our sensors detected targeted reconnaissance activity against Industrial Control Systems (ICS) infrastructure from IP 185.247.137.110 (Leeds, GB) between February 23-March 11, 2026. The threat actor conducted EtherNet/IP and Modbus protocol enumeration attacks, indicating potential preparation for operational technology (OT) network compromise. Organizations operating ICS/SCADA environments should immediately review network segmentation and implement enhanced monitoring for industrial protocols.
Activity Timeline
INITIAL REPORT2026-03-14T17:55:20Z
Source: batch_hunting
Our sensors detected targeted reconnaissance activity against Industrial Control Systems (ICS) infrastructure from IP 185.247.137.110 (Leeds, GB) between February 23-March 11, 2026. The threat actor conducted EtherNet/IP and Modbus protocol enumeration attacks, indicating potential preparation for operational technology (OT) network compromise. Organizations operating ICS/SCADA environments should immediately review network segmentation and implement enhanced monitoring for industrial protocols.
Technical details
The threat actor conducted 31 events over a 16-day period, demonstrating persistent reconnaissance behavior targeting industrial control systems. Attack patterns included EtherNet/IP List Identity commands and Modbus broadcast attacks, both classified as medium-severity ICS attacks. The actor utilized multiple protocols including TCP, TLS (versions 1.0 and 1.2+), HTTPS, and MQTT over TLS, suggesting sophisticated protocol knowledge. Activity originated from AS211298 (Driftnet Ltd) with open ports 53 and 80, targeting 4 unique destination ports. The low AbuseIPDB score (0/100) indicates this may represent previously unknown or emerging threat activity rather than known malicious infrastructure.
IOCs
IP:185.247.137.110
ASN:211298
COUNTRY:GB
Recommendations
- Implement network segmentation between IT and OT environments, ensuring industrial control systems are isolated from internet-facing networks
- Deploy specialized ICS/SCADA protocol monitoring tools to detect unauthorized EtherNet/IP and Modbus communications
- Block traffic from 185.247.137.110 at network perimeters and review logs for any successful connections from this source
- Conduct immediate inventory of all industrial control system assets and verify proper authentication controls are enabled
- Establish baseline monitoring for normal EtherNet/IP List Identity and Modbus traffic patterns to identify future anomalous activity