Summary (Bottom Line Up Front)
A US-based threat actor (3.151.241.153) conducted sustained reconnaissance activities from February 17 to March 8, 2026, targeting industrial control systems and Kubernetes environments using protocol confusion techniques. This HIGH-severity campaign demonstrates advanced operational technology (OT) targeting capabilities with potential for lateral movement into critical infrastructure. Organizations should immediately review network segmentation between IT/OT environments and implement enhanced monitoring for cross-protocol attacks.
Activity Timeline
INITIAL REPORT2026-03-10T14:38:01Z
Source: Analyst Manual Entry
A US-based threat actor (3.151.241.153) conducted sustained reconnaissance activities from February 17 to March 8, 2026, targeting industrial control systems and Kubernetes environments using protocol confusion techniques. This HIGH-severity campaign demonstrates advanced operational technology (OT) targeting capabilities with potential for lateral movement into critical infrastructure. Organizations should immediately review network segmentation between IT/OT environments and implement enhanced monitoring for cross-protocol attacks.
Technical details
The threat actor executed 19 attack events over a 19-day period, demonstrating persistent reconnaissance behavior across multiple protocols including HTTP/HTTPS, Modbus (industrial control protocol), and Oracle database services. Primary attack vectors included Kubernetes dashboard exploitation (T1046 - Network Service Scanning) and legacy SMB1 protocol abuse targeting industrial [REDACTED]s. The campaign exhibited protocol confusion tactics, specifically directing SMB1 negotiation traffic toward Modbus industrial control systems, indicating sophisticated understanding of OT/ICS network architectures. Key IOC: IP address 3.151.241.153 (AbuseIPDB score 100/100, US-based, non-VPN infrastructure).
IOCs
IP:3.151.241.153
COUNTRY:US
Recommendations
- Implement network segmentation controls to isolate OT/ICS networks from IT infrastructure and block SMB1 protocol communications to industrial control system subnets
- Deploy enhanced monitoring for cross-protocol attack patterns, particularly SMB traffic directed at non-Windows industrial devices and unauthorized Kubernetes API access attempts
- Conduct immediate audit of Kubernetes dashboard configurations and disable public-facing dashboards or implement strong authentication controls
- Review and update industrial control system access controls, ensuring Modbus and similar OT protocols are restricted to authorized management networks only
- Block traffic from 3.151.241.153 at network perimeters and correlate against internal logs for potential compromise indicators