Summary (Bottom Line Up Front)
External threat actor from Lithuania (77.90.185.135) conducted targeted reconnaissance against industrial control systems using Siemens S7comm protocol, indicating potential APT activity focused on critical infrastructure. Assessed threat level: HIGH with 95% confidence based on specialized ICS attack techniques and maximum abuse scoring. Immediate defensive measures recommended for all ICS/SCADA environments.
Activity Timeline
UPDATE 12026-03-17T23:03:02Z
Source: Analyst Manual Entry
External threat actor from Lithuania (77.90.185.135) conducted targeted reconnaissance against industrial control systems using Siemens S7comm protocol, indicating potential APT activity focused on critical infrastructure. Assessed threat level: HIGH with 95% confidence based on specialized ICS attack techniques and maximum abuse scoring. Immediate defensive measures recommended for all ICS/SCADA environments.
New findings
Threat actor leveraged multiple protocols (RDP, S7comm, MQTT, SMTP) across 14 unique destination ports during a 2-hour window on 2026-03-15 (15:00-17:00). Primary attack vector involved Siemens S7comm COTP connection requests targeting industrial control systems, mapped to MITRE ICS technique T0846 (Remote System Discovery). Source infrastructure shows Windows 10 build 17763 with exposed RDP (port 3389) and maximum AbuseIPDB reputation score (100/100). Attack pattern analysis identified 4 instances of s7comm_cotp_connect_request behavior, suggesting systematic enumeration of Siemens PLC/HMI systems. IOC: 77.90.185.135 (AS215476 Inside Network LTD).
Recommendations
- Implement immediate network segmentation to isolate ICS/SCADA networks from corporate IT infrastructure and external internet access
- Deploy protocol-aware monitoring for S7comm, Modbus, and other industrial protocols with alerting on unauthorized connection attempts
- Review and restrict RDP access controls, implementing multi-factor authentication and network-level access restrictions for remote connections
- Conduct emergency asset inventory of all Siemens PLCs and HMI systems to verify current patch levels and security configurations
- Coordinate with relevant CISA/ICS-CERT reporting channels given the critical infrastructure targeting nature of this campaign
INITIAL REPORT2026-03-16T07:16:18Z
Source: Analyst Manual Entry
A Lithuania-based threat actor (77.90.185.135) conducted targeted reconnaissance against industrial control systems using Siemens S7comm protocols on March 15, 2026. This represents HIGH-severity activity with 95% confidence, indicating potential APT operations targeting critical infrastructure. Immediate defensive measures should focus on ICS network segmentation and S7comm protocol monitoring.
Technical details
Attack Vector: Multi-protocol reconnaissance campaign spanning RDP, S7comm, MQTT, and SMTP protocols across 14 unique destination ports over 2-hour window (14:00-17:00 UTC). Primary focus on Siemens S7comm COTP connection requests indicating ICS/SCADA targeting. MITRE Mapping: T0846 (Remote System Discovery) within reconnaissance kill chain phase. Volume: 91 total events with 4 confirmed S7comm connection attempts. Attribution: Windows 10 build 17763 system from Inside Network LTD (AS215476) with maximum AbuseIPDB reputation score. IOCs: Source IP 77.90.185.135, open RDP port 3389, no reverse DNS resolution.
IOCs
IP:77.90.185.135
ASN:215476
COUNTRY:LT
Recommendations
- Implement immediate network segmentation between IT and OT environments, blocking unauthorized S7comm traffic (TCP/102)
- Deploy enhanced monitoring for Siemens S7comm protocol anomalies and unauthorized COTP connection requests
- Block source IP 77.90.185.135 and monitor for additional Inside Network LTD (AS215476) infrastructure
- Conduct emergency audit of all Siemens PLC and HMI system access controls and authentication mechanisms
- Activate incident response procedures for potential ICS compromise and coordinate with relevant critical infrastructure authorities