Summary (Bottom Line Up Front)
IP address 71.6.199.23 conducted a sustained 7-week reconnaissance campaign targeting industrial control systems, focusing on Modbus protocol enumeration and MQTT services with 69 recorded events between February 17 and April 6, 2026. The sophisticated targeting of operational technology protocols indicates potential APT-level threat activity with high risk to critical infrastructure environments. Immediate implementation of ICS/SCADA network segmentation and enhanced monitoring of Modbus/MQTT traffic is recommended. ##
Activity Timeline
INITIAL REPORT2026-04-06T21:22:29Z
Source: Analyst Manual Entry
IP address 71.6.199.23 conducted a sustained 7-week reconnaissance campaign targeting industrial control systems, focusing on Modbus protocol enumeration and MQTT services with 69 recorded events between February 17 and April 6, 2026. The sophisticated targeting of operational technology protocols indicates potential APT-level threat activity with high risk to critical infrastructure environments. Immediate implementation of ICS/SCADA network segmentation and enhanced monitoring of Modbus/MQTT traffic is recommended.
Technical details
Attack Profile: Sustained reconnaissance campaign spanning 48 days targeting industrial protocols
Primary Protocols: Modbus, MQTT, HTTP with focus on operational technology enumeration
Attack Volume: 69 events across 4 unique destination ports
Key Techniques:
- Modbus device scanning and broadcast enumeration (MITRE T1046 - Network Service Scanning)
- MQTT service reconnaissance via HTTP header manipulation (MITRE T1595 - Active Scanning)
- Protocol-specific payload crafting suggesting ICS/SCADA expertise
Notable Payloads:
- Modbus function code 0x11 (Report Slave ID) reconnaissance: `000000000002ff11`
- Modbus broadcast enumeration attempts: `000000000005002b0e01`
- HTTP-to-MQTT port targeting with crafted headers
IOCs
- Source IP: 71.6.199.23
- Targeting ports associated with Modbus (502) and MQTT services
- Hex-encoded Modbus payloads indicating protocol familiarity
IOCs
IP:71.6.199.23
Recommendations
- Implement network segmentation to isolate ICS/SCADA networks from corporate IT infrastructure and internet-facing systems
- Deploy specialized ICS protocol monitoring solutions to detect anomalous Modbus and MQTT traffic patterns
- Block IP 71.6.199.23 at perimeter firewalls and add to threat intelligence feeds for ongoing monitoring
- Conduct immediate inventory of exposed Modbus and MQTT services, ensuring proper authentication and access controls
- Review and harden industrial protocol configurations, disabling unnecessary broadcast responses and implementing protocol-specific security measures