185.247.137.40

Summary (Bottom Line Up Front)

Threat actor at 185.247.137.40 conducted reconnaissance scanning targeting industrial control systems over a 32-day period, specifically probing EtherNet/IP and Modbus protocols commonly used in operational technology environments. Assessment indicates LOW threat level with potential for escalation to more sophisticated ICS attacks. Network defenders should implement enhanced monitoring of industrial protocol traffic and review OT network segmentation.

EtherNet/IP HTTP Modbus TCP TCP/SYN TLS TLS/1.0 auto

ICS_ATTACK SCANNER

Activity Timeline

INITIAL REPORT2026-03-23T09:01:51Z

Source: Analyst Manual Entry

Technical details

Actor conducted 20 scanning events between February 19, 2026 17:00 and March 23, 2026 04:00, targeting 4 unique destination ports. Primary attack vectors included EtherNet/IP list identity requests and Modbus broadcast attacks, consistent with MITRE technique T1046 (Network Service Scanning). Source infrastructure operates from Leeds, GB via AS211298 (Driftnet Ltd) with maximum AbuseIPDB reputation score indicating established malicious activity. Attack patterns demonstrate progression from basic internet measurement scanning to targeted industrial protocol enumeration, suggesting reconnaissance phase of potential OT/ICS campaign.

IOCs

IP:185.247.137.40

ASN:211298

COUNTRY:GB

Recommendations

Block traffic from 185.247.137.40 and monitor for additional scanning activity from AS211298 network range
Implement enhanced logging and alerting for EtherNet/IP (port 44818) and Modbus (port 502) protocol anomalies
Review network segmentation between IT and OT environments to limit industrial protocol exposure
Deploy industrial protocol-aware intrusion detection systems to identify unauthorized EtherNet/IP and Modbus communications
Conduct threat hunting for similar reconnaissance patterns targeting industrial control system protocols across the enterprise