5.79.108.33

Summary (Bottom Line Up Front)

Threat actor operating from IP address 5.79.108.33 conducted targeted reconnaissance against industrial control systems using DNP3 protocol alongside HTTP and TCP scanning activities on March 26, 2026. This represents a MEDIUM threat level due to the specific targeting of critical infrastructure protocols. Organizations operating industrial control systems should immediately review DNP3 network exposure and implement enhanced monitoring.

DNP3 HTTP TCP TCP/SYN-ACK

Activity Timeline

INITIAL REPORT2026-03-26T15:09:05Z

Source: Analyst Manual Entry

Technical details

Key Findings:

Attack Volume: 3,478 events concentrated within an 8-second window (05:00-06:00 UTC)
Protocols Observed: DNP3 (Distributed Network Protocol 3), HTTP, TCP with SYN-ACK responses
Attack Pattern: High-velocity automated scanning targeting 4 unique destination ports
Infrastructure Targeting: DNP3 usage indicates specific interest in SCADA/industrial control systems
MITRE ATT&CK Mapping: T1046 (Network Service Scanning), T1595.002 (Active Scanning: Vulnerability Scanning)
IOCs: 5.79.108.33 (source IP), DNP3 protocol abuse, compressed timeframe suggesting automated tooling

IOCs

IP:5.79.108.33

Recommendations

Immediately audit all DNP3-enabled devices for internet exposure and implement network segmentation to isolate industrial control systems
Deploy enhanced monitoring for DNP3 traffic patterns and establish baseline behavioral analytics for industrial protocol communications
Block traffic from 5.79.108.33 at network perimeters and review firewall rules for unnecessary industrial protocol exposure
Conduct vulnerability assessments on all SCADA/ICS infrastructure and ensure latest security patches are applied
Implement industrial protocol-aware intrusion detection systems capable of identifying anomalous DNP3, Modbus, and other ICS protocol activities