185.247.137.207

Summary (Bottom Line Up Front)

Threat actor operating from 185.247.137.207 (Manchester, GB) conducted sustained multi-protocol reconnaissance against industrial control systems, Kubernetes environments, and SMB services over 36 days with 64 recorded events. Assessment indicates MEDIUM threat level with potential APT characteristics given the 100/100 AbuseIPDB score and diverse attack surface targeting. Immediate defensive hardening of OT/IT network boundaries and enhanced monitoring of exposed services is recommended.

HTTP Modbus SMB TCP TCP/SYN TLS/1.0 auto https
K8S_ATTACK SMB
Activity Timeline
UPDATE 22026-03-21T11:52:39Z
Source: Analyst Manual Entry
Threat actor operating from 185.247.137.207 (Manchester, GB) conducted sustained multi-protocol reconnaissance against industrial control systems, Kubernetes environments, and SMB services over 36 days with 64 recorded events. Assessment indicates MEDIUM threat level with potential APT characteristics given the 100/100 AbuseIPDB score and diverse attack surface targeting. Immediate defensive hardening of OT/IT network boundaries and enhanced monitoring of exposed services is recommended.
New findings
Actor demonstrated sophisticated reconnaissance capabilities across HTTP, HTTPS, Modbus, SMB, and TLS protocols targeting 4 unique destination ports. Primary attack vectors included Kubernetes dashboard access attempts (T1046 - Network Service Scanning) and legacy SMBv1 exploitation attempts, indicating systematic enumeration of both cloud and traditional network infrastructure. Activity spanned from February 13, 2026 04:00 to March 21, 2026 07:00, suggesting persistent campaign methodology. Key IOC: 185.247.137.207 (AS211298 Driftnet Ltd) with no reverse DNS resolution and ports 53/80 exposed.
Recommendations
  • Block 185.247.137.207 at network perimeter and monitor for additional AS211298 infrastructure
  • Implement network segmentation between OT/ICS networks and corporate IT systems, particularly restricting Modbus (port 502) and Siemens S7 (port 102) access
  • Disable SMBv1 across all Windows systems and enable SMB signing to prevent lateral movement attempts
  • Secure Kubernetes dashboard access with strong authentication and restrict external exposure
  • Deploy enhanced monitoring for industrial protocol traffic (Modbus, S7) and alert on unauthorized connection attempts
UPDATE 12026-03-21T11:51:35Z
Source: Analyst Manual Entry
Threat actor 185.247.137.207 conducted reconnaissance against exposed Kubernetes Dashboard instances between February 13-March 21, 2026, with additional SMB enumeration activity detected. Assessment: MEDIUM threat level with 85% confidence, representing initial phases of potential cluster compromise. Immediate action required to secure Kubernetes dashboard deployments and review SMB exposure.
New findings
  • Source: 185.247.137.207 (Manchester, GB / AS211298 Driftnet Ltd)
  • Activity Period: February 13, 2026 04:00 - March 21, 2026 07:00 (64 total events)
  • Protocols: HTTP, HTTPS, TLS/1.0, SMB, Modbus, TCP
  • Attack Vectors: Kubernetes dashboard reconnaissance (T1590.001), SMB enumeration
  • Kill Chain Phase: Reconnaissance
  • Threat Indicators: AbuseIPDB score 100/100, targeting 4 unique destination ports
  • IOCs: 185.247.137.207 requesting kubernetes-logo.png assets, SMBv1 usage patterns
Recommendations
  • Immediately audit and restrict access to Kubernetes Dashboard instances, implementing authentication and network segmentation
  • Disable SMBv1 protocol across all Windows systems and implement SMB signing requirements
  • Deploy network monitoring for Kubernetes API server access attempts and dashboard enumeration activities
  • Review firewall rules to ensure Kubernetes management interfaces are not exposed to internet-facing networks
  • Implement threat hunting procedures for reconnaissance activities targeting container orchestration platforms
INITIAL REPORT2026-03-14T17:39:36Z
Source: batch_hunting
Threat actor operating from Manchester, UK (185.247.137.207) conducted a sustained 29-day campaign targeting Kubernetes dashboards and legacy SMB services across multiple protocols. Assessment: MEDIUM threat level with focused targeting of container orchestration and file sharing infrastructure. Immediate action required to audit Kubernetes dashboard exposure and disable SMBv1 protocols.
Technical details
Attack Profile: 64 security events observed between 2026-02-13 04:00 and 2026-03-14 06:00, originating from AS211298 (Driftnet Ltd) with maximum AbuseIPDB reputation score (100/100). Actor demonstrated multi-protocol capabilities across HTTP/HTTPS, Modbus, SMB, and raw TCP connections targeting 4 unique destination ports.
Primary Techniques: Kubernetes dashboard unauthorized access attempts (MITRE T1552.007 - Unsecured Credentials: Container API) and SMBv1 protocol exploitation (MITRE T1021.002 - Remote Services: SMB/Windows Admin Shares). Attack pattern suggests reconnaissance and lateral movement preparation against containerized environments and Windows file shares.
Infrastructure: Source host operates DNS (port 53) and web services (port 80) with no reverse DNS resolution, indicating potential command-and-control or staging infrastructure.
IOCs
IP:185.247.137.207
ASN:211298
COUNTRY:GB
Recommendations
  • Block source IP 185.247.137.207 at network perimeter and monitor for additional IPs within AS211298 range
  • Audit all Kubernetes dashboard deployments for proper authentication and network segmentation
  • Disable SMBv1 protocol across all Windows systems and file servers immediately
  • Implement enhanced monitoring for unauthorized container API access attempts and SMB enumeration activities
  • Review network segmentation between Kubernetes clusters and legacy Windows infrastructure to prevent lateral movement
Threat Assessment
Threat Level CRITICAL
AI Verdict MEDIUM
Confidence 75%
Total Events 64
AbuseIPDB 100/100
Indicators of Compromise
ip 185.247.137.207
asn 211298
country GB