80.94.95.43

Summary (Bottom Line Up Front)

IP address 80.94.95.43 conducted targeted reconnaissance against industrial control systems (ICS) infrastructure over a 15-day period from March 10-25, 2026, generating 69 attack events primarily focused on S7comm protocol exploitation. This represents LOW-severity threat activity consistent with initial reconnaissance phases of ICS-targeted campaigns. Network defenders should implement enhanced monitoring for S7comm traffic and consider blocking this IP address.

RDP TCP auto http

ICS_ATTACK

Activity Timeline

INITIAL REPORT2026-03-25T09:08:32Z

Source: Analyst Manual Entry

Technical details

Attack Profile: Sustained reconnaissance campaign targeting industrial protocols across 4 unique destination ports, with primary focus on S7comm COTP connection requests on port 9001. Protocols Observed: RDP, TCP, HTTP, and specialized ICS protocols including S7comm. MITRE Mapping: T1083 (File and Directory Discovery), T0846 (Remote System Discovery - ICS). Attack Volume: 69 total events with 5 confirmed S7comm COTP connection attempts representing medium-severity ICS attack patterns. Key IOC: 80.94.95.43 demonstrating persistent targeting behavior over 360+ hours. Kill Chain Phase: Early reconnaissance with 5% assessed probability of zero-day exploitation capabilities.

IOCs

IP:80.94.95.43

Recommendations

Block IP address 80.94.95.43 at network perimeter and document in threat intelligence feeds
Implement enhanced monitoring and alerting for S7comm protocol traffic on non-standard ports
Review and harden access controls for industrial control system networks and protocols
Conduct threat hunting for similar S7comm COTP connection request patterns across ICS infrastructure
Verify network segmentation between corporate IT and operational technology (OT) environments

medium ICS_ATTACK auto:9001

T0846 S7comm COTP Connection Request