Summary (Bottom Line Up Front)
A sophisticated threat actor operating from Netherlands-based infrastructure (45.142.193.232) conducted a sustained credential harvesting and authentication attack campaign over 48 hours, generating 981 security events with a 100/100 AbuseIPDB reputation score. The actor demonstrated advanced capabilities by targeting SSH services, router default credentials, and industrial control systems using MODBUS protocols. Immediate defensive measures are recommended to protect authentication systems and critical infrastructure assets.
Activity Timeline
INITIAL REPORT2026-03-10T14:25:01Z
Source: Analyst Manual Entry
A sophisticated threat actor operating from Netherlands-based infrastructure (45.142.193.232) conducted a sustained credential harvesting and authentication attack campaign over 48 hours, generating 981 security events with a 100/100 AbuseIPDB reputation score. The actor demonstrated advanced capabilities by targeting SSH services, router default credentials, and industrial control systems using MODBUS protocols. Immediate defensive measures are recommended to protect authentication systems and critical infrastructure assets.
Technical details
The threat actor leveraged multiple attack vectors including credential stuffing attacks (33 instances), router default credential exploitation (7 instances), and targeted MODBUS attacks against Schneider Unity systems (1 instance). Attack traffic utilized TCP, TLS 1.0, HTTP, and HTTPS protocols exclusively targeting port 22 (SSH). The campaign maps to MITRE ATT&CK techniques T1110 (Brute Force), T1078 (Valid Accounts), and T1190 (Exploit Public-Facing Application). The actor's infrastructure shows characteristics of a dedicated attack platform with Linux-based systems and no VPN obfuscation, suggesting confidence in operational security.
IOCs
IP:45.142.193.232
ASN:214295
COUNTRY:NL
Recommendations
- Immediately block IP address 45.142.193.232 and monitor for additional activity from ASN AS214295 (Limited Network LTD)
- Implement multi-factor authentication on all SSH services and disable default credentials on network infrastructure devices
- Deploy enhanced monitoring for MODBUS protocol traffic and implement network segmentation for industrial control systems
- Review authentication logs for the period of February 28, 2026 09:00 through March 1, 2026 23:00 for potential compromise indicators
- Consider implementing rate limiting and account lockout policies for authentication attempts across all public-facing services