Summary (Bottom Line Up Front)
Romanian-based threat actor 193.46.255.147 conducted a sophisticated multi-protocol reconnaissance campaign targeting industrial control systems, network infrastructure, and IoT devices over a 14-hour period from March 9-10, 2026. The campaign demonstrates advanced capabilities across Modbus, S7comm, MQTT, and enterprise protocols, indicating a CRITICAL threat level with potential APT attribution. Immediate defensive measures are required to protect industrial networks and critical infrastructure assets.
Activity Timeline
INITIAL REPORT2026-03-10T13:29:48Z
Source: Analyst Manual Entry
Romanian-based threat actor 193.46.255.147 conducted a sophisticated multi-protocol reconnaissance campaign targeting industrial control systems, network infrastructure, and IoT devices over a 14-hour period from March 9-10, 2026. The campaign demonstrates advanced capabilities across Modbus, S7comm, MQTT, and enterprise protocols, indicating a CRITICAL threat level with potential APT attribution. Immediate defensive measures are required to protect industrial networks and critical infrastructure assets.
Technical details
The threat actor executed 194 attack events targeting 16 unique destination ports using a diverse protocol suite including HTTP/HTTPS, MQTT, Modbus, S7comm, SMB, and TLS variants. Key attack patterns include Modbus broadcast attacks and device identification queries (FC43), S7comm COTP connection requests targeting Siemens PLCs, MQTT wildcard subscription attempts for system topic enumeration, FortiGate VPN appliance reconnaissance, and legacy SMBv1 exploitation attempts. The campaign maps to MITRE ATT&CK techniques T1046 (Network Service Scanning), T1082 (System Information Discovery), and T1135 (Network Share Discovery). Primary IOC: 193.46.255.147 (AS47890 UNMANAGED LTD, Timişoara, RO) with AbuseIPDB confidence score 67/100 and BGP service on port 179.
IOCs
IP:193.46.255.147
ASN:47890
COUNTRY:RO
Recommendations
- Block 193.46.255.147 and monitor AS47890 (UNMANAGED LTD) for additional malicious activity across all network perimeters
- Implement network segmentation to isolate industrial control systems from corporate networks and restrict Modbus/S7comm traffic to authorized devices only
- Disable SMBv1 protocol enterprise-wide and enable advanced logging for MQTT broker access attempts with wildcard subscriptions
- Deploy industrial protocol-aware intrusion detection systems to monitor for unauthorized Modbus FC43 queries and S7comm connection attempts
- Conduct immediate asset inventory of FortiGate appliances and industrial control devices to identify potential compromise indicators