UPDATE 22026-04-24T15:45:49Z

Source: Analyst Manual Entry

IP address 185.247.137.238 conducted sustained reconnaissance targeting industrial control systems and database services over a 72-day period from February 12 to April 24, 2026. The threat actor employed multi-protocol scanning techniques including Siemens S7COMM, Oracle TNS, and Modbus protocols, indicating potential targeting of critical infrastructure environments. Organizations operating industrial control systems should implement immediate monitoring and access controls for affected protocols.

New findings

Attack Profile: 56 reconnaissance events targeting 10 unique destination ports across industrial and enterprise protocols including EtherNet/IP, S7COMM, Modbus, PostgreSQL, and Oracle TNS. Primary techniques aligned with MITRE T1046 (Network Service Scanning) during the reconnaissance phase of the kill chain. Notable payload samples included Oracle TNS version enumeration attempts ("CONNECT_DATA=(COMMAND=version") and generic internet measurement scanning activities. Attack patterns demonstrated medium-severity industrial control system probing and database service enumeration, with no evidence of exploitation attempts or zero-day usage.

Indicators of Compromise:

Recommendations

UPDATE 12026-04-24T13:38:19Z

Source: Analyst Manual Entry

Threat actor 185.247.137.238 conducted sustained reconnaissance targeting industrial control systems and enterprise services over a 71-day period from February 12 to April 24, 2026. The campaign focused on critical infrastructure protocols including Siemens S7COMM, Oracle TNS, and Modbus systems with 56 observed scanning events. Organizations operating industrial control systems should immediately review network segmentation and implement enhanced monitoring for these protocols.

New findings

Attack Profile: Multi-protocol reconnaissance campaign targeting industrial and enterprise infrastructure

Duration: 71 days (February 12 06:00 - April 24 08:00, 2026)

Volume: 56 events across 10 unique destination ports

Primary Protocols: S7COMM (Siemens industrial), Oracle TNS, Modbus, HTTP/HTTPS, PostgreSQL

MITRE Technique: T1046 (Network Service Scanning)

Kill Chain Phase: Reconnaissance

Key Indicators: Non-TPKT formatted S7COMM traffic on port 102, Oracle TNS version enumeration attempts, generic scanning user agents

Payload Samples: Oracle TNS connection strings containing "COMMAND=version", HTTP requests with "InternetMeasurement" user agent

Recommendations

INITIAL REPORT2026-04-21T14:52:17Z

Source: Analyst Manual Entry

External threat actor 185.247.137.238 conducted sustained reconnaissance against industrial control systems and enterprise services over 68 days, targeting Siemens S7COMM, Oracle TNS, and other critical protocols. This represents MEDIUM-severity threat activity focused on infrastructure enumeration that could enable future attacks against operational technology environments. Organizations should immediately review ICS network segmentation and implement enhanced monitoring for industrial protocol abuse.

Technical details

Attack Vector: Multi-protocol reconnaissance campaign targeting industrial and enterprise systems

Duration: February 12, 2026 06:00 - April 21, 2026 00:00 (68 days active)

Volume: 56 events across 10 unique destination ports

Protocols Targeted: Siemens S7COMM (port 102), Oracle TNS, Modbus, EtherNet/IP, PostgreSQL, HTTP/HTTPS with TLS variants

MITRE Technique: T1046 (Network Service Scanning)

Key Indicators: Non-TPKT formatted traffic to S7 industrial protocol ports, Oracle TNS version enumeration attempts, automated scanning signatures including "InternetMeasurement" user agent

Threat Classification: Reconnaissance phase activity with focus on critical infrastructure discovery

IOCs

Recommendations