185.247.137.206

Summary (Bottom Line Up Front)

External IP 185.247.137.206 conducted sustained multi-protocol reconnaissance targeting Oracle databases and industrial control systems over a 10-week period from February to April 2026. The campaign demonstrates medium-severity threat activity with 61 recorded events spanning database enumeration, ICS protocol probing, and network scanning. Organizations should implement enhanced monitoring for Oracle TNS and S7comm protocols while blocking the identified threat actor IP. ##

ENIP EtherNet/IP HTTP ORACLE Oracle/TNS TCP TCP/SYN TLS/1.0 TLS/1.2+ Unknown auto https_tls_handshake

Activity Timeline

UPDATE 12026-04-26T18:44:11Z

Source: Analyst Manual Entry

New findings

Attack Timeline: February 17, 2026 04:00 - April 26, 2026 13:00 (UTC)

Protocols Observed: Oracle TNS, S7comm/COTP, EtherNet/IP, HTTP/HTTPS with TLS 1.0-1.2+

Primary Techniques: T1046 (Network Service Scanning) targeting port 1521/TCP (Oracle) and port 102/TCP (S7comm)

Attack Patterns: Oracle database version enumeration, S7comm COTP connection requests, EtherNet/IP ListIdentity commands

Key IOCs:

Source IP: 185.247.137.206
Suspicious Oracle SQL port scanning activity
Industrial protocol reconnaissance (S7comm, EtherNet/IP)
User-agent based scanning patterns

Kill Chain Phase: Reconnaissance with potential progression indicators

Recommendations

Block source IP 185.247.137.206 at network perimeter and implement monitoring for similar reconnaissance patterns
Enable enhanced logging and alerting for Oracle TNS connections on port 1521, particularly version enumeration attempts
Deploy network segmentation between IT and OT environments to limit S7comm and EtherNet/IP protocol exposure
Implement anomaly detection for industrial protocol communications, focusing on unauthorized ListIdentity and COTP connection requests
Review and harden Oracle database configurations, ensuring unnecessary services are disabled and access controls are properly configured

INITIAL REPORT2026-04-07T06:59:57Z

Source: Analyst Manual Entry

IP address 185.247.137.206 conducted a sustained reconnaissance campaign from February 17 to April 7, 2026, targeting industrial control systems and web services with 61 attack events across multiple protocols including EtherNet/IP and HTTP. The activity represents medium-severity threat behavior focused on information gathering and ICS network mapping. Network defenders should implement enhanced monitoring for S7comm protocol traffic and backup file access attempts.

Technical details

Attack Vector: Multi-protocol reconnaissance targeting industrial systems and web infrastructure

Timeline: February 17, 2026 04:00 - April 7, 2026 05:00 (sustained 7-week campaign)

Volume: 61 events across 5 unique destination ports

Primary Techniques:

T1083 (File and Directory Discovery) via URL-encoded backup file requests
S7comm COTP connection attempts on port 102
Automated scanning with bot user agents

Key Indicators:

S7comm COTP Connection Request packets targeting port 102/tcp
HTTP requests for backup files using URL encoding obfuscation
InternetMeasurement scanning behavior
Attack patterns: ICS_ATTACK (T0846) and SCANNER activities

IOCs

Source IP: 185.247.137.206
Target protocols: EtherNet/IP, S7comm, HTTP
Suspicious file requests: Trinity.txt.bak (URL-encoded)

IOCs

IP:185.247.137.206

Recommendations

Monitor and log all S7comm COTP connection attempts on port 102/tcp, particularly from external IP ranges
Implement detection rules for URL-encoded requests targeting backup files (.bak, .backup, .old extensions)
Review firewall rules to ensure industrial control system protocols are not exposed to internet-facing networks
Deploy network segmentation between IT and OT environments to limit reconnaissance scope
Enable enhanced logging for EtherNet/IP and other industrial protocol communications

HIGH ANOMALY TCP:1521

ET SCAN Suspicious inbound to Oracle SQL port 1521

medium ICS_ATTACK auto:102

T0846 S7comm COTP Connection Request

medium SCANNER HTTP:None

InternetMeasurement