3.131.220.121

Summary (Bottom Line Up Front)

A US-based threat actor (3.131.220.121) conducted sustained reconnaissance against industrial control systems and network infrastructure over a 20-day period, employing Modbus protocol attacks and FortiGate device enumeration. The activity demonstrates HIGH threat level with 85% confidence, indicating potential precursor to targeted ICS/SCADA exploitation. Immediate defensive measures recommended for organizations operating industrial networks.

HTTP Modbus Oracle/TNS SSH TCP TCP/SYN TLS TLS/1.0 Unknown auto https modbus oracle smb smtp

BOTNET_3 FORTI_RECON ICS_ATTACK

Activity Timeline

UPDATE 22026-03-16T15:58:52Z

Source: Analyst Manual Entry

New findings

The threat actor generated 394 security events between February 24, 2026 07:00 and March 16, 2026 08:00, targeting 9 unique destination ports across multiple protocols including Modbus, Oracle/TNS, SSH, TLS, SMB, and SMTP. Primary attack vectors included Modbus Function Code 43 (Read Device Identification) with broadcast addressing for ICS device enumeration and FortiGate login page reconnaissance. Activity maps to MITRE ATT&CK technique T0846 (Remote System Discovery) within the reconnaissance phase of the cyber kill chain. The source IP maintains a maximum AbuseIPDB reputation score of 100/100, indicating confirmed malicious activity across multiple threat intelligence sources.

Recommendations

Block IP address 3.131.220.121 at network perimeters and implement geo-blocking for non-essential US traffic if operationally feasible
Monitor and restrict Modbus Function Code 43 traffic, particularly broadcast requests targeting multiple ICS devices simultaneously
Review FortiGate device configurations for unauthorized access attempts and ensure multi-factor authentication is enabled for administrative interfaces
Implement network segmentation between IT and OT environments to limit lateral movement from compromised systems
Conduct immediate asset inventory of Modbus-enabled devices and verify they are not directly accessible from internet-facing networks

UPDATE 12026-03-16T15:53:34Z

Source: Analyst Manual Entry

A US-based threat actor (3.131.220.121) conducted sustained reconnaissance against industrial control systems over a 20-day period, employing Modbus protocol exploitation and Fortinet device enumeration techniques. The activity demonstrates HIGH threat level with 85% confidence, indicating potential precursor to targeted ICS/SCADA attacks. Immediate defensive measures recommended for organizations operating industrial networks.

New findings

The threat actor generated 394 malicious events between February 24, 2026 07:00 and March 16, 2026 08:00, targeting 9 unique destination ports across multiple protocols including HTTP, Modbus, Oracle/TNS, SSH, TLS, SMB, and SMTP. Primary attack vectors included Modbus Function Code 43 (Read Device Identification) with broadcast addressing for industrial device enumeration and Fortinet login page reconnaissance. The campaign maps to MITRE ATT&CK technique T0846 (Remote System Discovery) within the Reconnaissance kill chain phase. The source IP maintains a maximum AbuseIPDB reputation score of 100/100, indicating established malicious infrastructure. Attack patterns demonstrate systematic approach to ICS network mapping and vulnerability identification.

Recommendations

Implement network segmentation to isolate industrial control systems from corporate networks and restrict Modbus protocol access to authorized systems only
Deploy industrial protocol-aware monitoring solutions to detect anomalous Modbus Function Code 43 requests and broadcast traffic patterns
Block traffic from 3.131.220.121 at network perimeters and review logs for any successful connections from this source
Conduct immediate security assessment of Fortinet devices for unauthorized access attempts and ensure latest firmware updates are applied
Establish baseline monitoring for industrial protocol communications to identify future reconnaissance activities targeting ICS/SCADA infrastructure

INITIAL REPORT2026-03-10T14:45:56Z

Source: Analyst Manual Entry

External threat actor at IP 3.131.220.121 conducted targeted reconnaissance against industrial control systems using Modbus protocol enumeration techniques between February 24-March 9, 2026. This activity represents a HIGH confidence threat indicating potential preparation for ICS/SCADA attacks. Organizations operating industrial networks should immediately implement enhanced monitoring and access controls for Modbus-enabled devices.

Technical details

Threat actor executed 241 attack events over a 13-day period, primarily targeting industrial control systems through Modbus Function Code 43 (Read Device Identification) queries with broadcast addressing. Activity spanned multiple protocols including HTTP, SSH, TLS, SMTP, and Modbus, targeting 6 unique destination ports. Attack patterns align with MITRE ATT&CK technique T0846 (Remote System Discovery) within the Reconnaissance phase of the industrial attack kill chain. The multi-protocol approach and sustained activity duration suggest systematic network mapping consistent with advanced persistent threat (APT) methodologies. Key indicators include Modbus broadcast enumeration attempts and device identification queries designed to map ICS network topology.

IOCs

IP:3.131.220.121

Recommendations

Block traffic from IP 3.131.220.121 at network perimeters and implement monitoring for similar Modbus enumeration patterns
Deploy network segmentation between IT and OT environments, restricting Modbus traffic to authorized communication paths only
Enable enhanced logging for Modbus Function Code 43 requests and implement alerting for broadcast addressing attempts
Conduct immediate asset inventory of all Modbus-enabled devices and verify current patch levels and security configurations
Review and strengthen authentication mechanisms for industrial control system access, implementing multi-factor authentication where feasible