185.247.137.53

Summary (Bottom Line Up Front)

Threat actor at 185.247.137.53 conducted targeted reconnaissance against industrial control systems using Siemens S7comm protocol between February 28-March 4, 2026. Assessment indicates HIGH threat level with potential for zero-day exploitation against SCADA infrastructure. Immediate hardening of ICS networks and enhanced monitoring of S7comm traffic is recommended.

HTTP RDP TCP TCP/SYN auto

ICS_ATTACK

Activity Timeline

INITIAL REPORT2026-03-10T13:28:56Z

Source: Analyst Manual Entry

Technical details

Source: 185.247.137.53 (AS211298 Driftnet Ltd, Leeds GB)
Attack Vector: S7comm COTP connection requests targeting port 9001
Volume: 24 events over 5-day period (Feb 28 04:00 - Mar 4 12:00 UTC)
Protocols: HTTP, RDP, TCP with focus on industrial protocols
MITRE Technique: T0846 (Remote System Discovery - ICS)
Assessment: 78% confidence HIGH threat, 35% zero-day probability
IOCs: Multiple COTP connection attempts consistent with Siemens PLC enumeration
Infrastructure: Open services on ports 53, 80, 5061 suggesting multi-purpose attack platform

IOCs

IP:185.247.137.53

ASN:211298

COUNTRY:GB

Recommendations

Implement network segmentation to isolate ICS/SCADA systems from corporate networks and internet-facing infrastructure
Deploy specialized ICS protocol monitoring to detect unauthorized S7comm, Modbus, and other industrial protocol communications
Block traffic from 185.247.137.53 and monitor for similar reconnaissance patterns against port 9001
Review and harden Siemens PLC configurations, ensuring default credentials are changed and unnecessary network services disabled
Establish baseline behavior for legitimate S7comm traffic to improve detection of anomalous industrial protocol activity