66.132.153.125

Summary (Bottom Line Up Front)

IP address 66.132.153.125 conducted targeted reconnaissance against industrial control systems and IoT infrastructure between March 11-14, 2026, utilizing S7comm and MQTT protocols. The activity represents a MEDIUM threat level with focused targeting of critical infrastructure protocols. Organizations operating ICS/SCADA and IoT environments should immediately review network segmentation and implement enhanced monitoring for these protocols.

S7comm TCP TCP/SYN TLS TLS/1.0 TLS/1.2+ auto https mqtt

ICS_ATTACK MQTT_ATTACK

Activity Timeline

INITIAL REPORT2026-03-14T17:35:05Z

Source: batch_hunting

Technical details

Threat actor conducted 72 distinct events over a 4-day period (March 11 04:00 - March 14 14:00 UTC) targeting 3 unique destination ports. Attack vectors included S7comm COTP connection requests targeting Siemens PLC infrastructure and MQTT subscription attempts including wildcard topic enumeration. The campaign utilized multiple TLS versions (1.0, 1.2+) and HTTPS for encrypted communications. Key indicators include S7comm protocol abuse (MITRE T1046 - Network Service Scanning) and MQTT topic enumeration (MITRE T1087 - Account Discovery). The source IP maintains a maximum AbuseIPDB reputation score of 100/100, indicating confirmed malicious activity.

IOCs

IP:66.132.153.125

COUNTRY:US

Recommendations

Implement network segmentation to isolate ICS/SCADA networks from internet-facing infrastructure and restrict S7comm protocol access to authorized systems only
Deploy protocol-aware monitoring for MQTT brokers with alerting on wildcard subscription attempts and unauthorized topic enumeration
Block IP address 66.132.153.125 at network perimeters and review firewall rules for unnecessary exposure of industrial protocols
Conduct immediate asset inventory of Siemens PLCs and MQTT-enabled devices to identify potential exposure points
Enable enhanced logging for S7comm and MQTT communications to detect similar reconnaissance patterns