81.29.142.6

Summary (Bottom Line Up Front)

Russian-origin IP address 81.29.142.6 conducted sustained multi-protocol reconnaissance targeting industrial control systems and enterprise services over a 40-day period from February 12 to March 24, 2026. Despite 468 recorded events across 11 protocols including EtherNet/IP, Modbus, and MQTT, the activity is assessed as LOW severity automated scanning rather than targeted exploitation. Organizations should monitor for similar reconnaissance patterns and harden ICS/OT network segmentation.

EtherNet/IP HTTP MQTT Modbus Oracle/TNS RDP SMB SSH TCP TCP/SYN TLS TLS/1.0 Unknown auto http https https_tls_handshake modbus mqtt oracle smb smtp
SMB ICS_ATTACK MQTT_ATTACK
Activity Timeline
UPDATE 62026-03-24T22:27:09Z
Source: Analyst Manual Entry
Russian-origin IP address 81.29.142.6 conducted sustained multi-protocol reconnaissance targeting industrial control systems and enterprise services over a 40-day period from February 12 to March 24, 2026. Despite 468 recorded events across 11 protocols including EtherNet/IP, Modbus, and MQTT, the activity is assessed as LOW severity automated scanning rather than targeted exploitation. Organizations should monitor for similar reconnaissance patterns and harden ICS/OT network segmentation.
New findings
Source: 81.29.142.6 (Russia, ASN unknown, AbuseIPDB score 100/100)
Timeline: February 12, 2026 14:00 - March 24, 2026 13:00 (468 events)
Protocols Targeted: EtherNet/IP, Modbus, MQTT, SMB, SSH, RDP, Oracle/TNS, SMTP, HTTP/HTTPS
Primary Techniques: T1046 (Network Service Scanning), industrial protocol enumeration
Key Indicators: SMBv1 usage detection, Modbus broadcast attacks, MQTT wildcard subscriptions, S7comm COTP connection attempts
Notable Payloads: EtherNet/IP RegisterSession requests, Modbus device ID queries (function code 43), MQTT binary subscribe packets targeting wildcard topics
Recommendations
  • Implement network segmentation between IT and OT environments to prevent cross-protocol reconnaissance
  • Deploy industrial protocol-aware monitoring solutions to detect unauthorized Modbus, EtherNet/IP, and MQTT communications
  • Disable SMBv1 protocol across all systems and monitor for legacy protocol usage attempts
  • Configure firewall rules to block unsolicited connections to industrial control system ports (502/Modbus, 44818/EtherNet-IP, 1883/MQTT)
  • Establish baseline monitoring for industrial device enumeration activities and MQTT wildcard subscription attempts
UPDATE 52026-03-18T00:10:59Z
Source: Analyst Manual Entry
Russian-origin IP address 81.29.142.6 conducted sustained multi-protocol reconnaissance targeting industrial control systems, MQTT brokers, and legacy Windows services over a 33-day period from February 12-March 17, 2026. Assessment: MEDIUM threat with 75% confidence, representing potential APT interest in critical infrastructure. Immediate action required to harden ICS/OT network segmentation and monitor for similar scanning patterns.
New findings
Threat actor executed 399 attack events across 10 protocols including Modbus TCP, S7comm, MQTT, SMB1, and SMTP targeting 10 unique destination ports. Primary MITRE technique T1046 (Network Service Scanning) observed during reconnaissance phase operations. Key attack patterns include Modbus broadcast attacks, S7comm COTP connection requests, MQTT wildcard subscriptions, and SMB1 exploitation attempts. Source IP maintains 100/100 AbuseIPDB reputation score with no VPN obfuscation detected. Attack signature suggests automated tooling designed for industrial network enumeration and potential lateral movement preparation.
Recommendations
  • Implement network segmentation between IT and OT environments with strict firewall rules blocking unauthorized Modbus (502), S7comm (102), and MQTT (1883/8883) traffic
  • Deploy ICS-specific intrusion detection systems to monitor for Modbus function code 43 device identification requests and S7comm connection attempts
  • Disable SMB1 protocol across all Windows systems and enable SMB signing to prevent reconnaissance and lateral movement
  • Block Russian IP ranges at perimeter firewalls and add 81.29.142.6 to threat intelligence feeds for automated blocking
  • Conduct immediate audit of exposed industrial protocols on internet-facing systems and relocate behind VPN or remove external access entirely
UPDATE 42026-03-17T23:23:40Z
Source: Analyst Manual Entry
Russian IP address 81.29.142.6 conducted sustained multi-protocol reconnaissance targeting industrial control systems, MQTT brokers, and legacy network services over a 33-day period from February 12-March 17, 2026. The campaign demonstrates sophisticated threat actor interest in critical infrastructure with 399 attack events across 10 protocols including Modbus, S7comm, and MQTT. Organizations operating ICS/OT environments should immediately review network segmentation and implement enhanced monitoring for industrial protocols.
New findings
Attack Profile: 399 events targeting industrial control systems and supporting infrastructure protocols over 33 days. Primary focus on Modbus TCP (port 502), MQTT (port 1883), SMBv1 (port 445), and S7comm industrial protocols. Attack patterns include Modbus device identification requests (FC=0x2B), MQTT wildcard topic subscriptions, and S7comm COTP connection attempts.
MITRE ATT&CK Mapping: T1046 (Network Service Scanning) with focus on industrial protocol enumeration. Kill chain phase indicates early reconnaissance activities consistent with APT-style infrastructure targeting.
Key Indicators: Source IP 81.29.142.6 (ASN unknown, Russia), AbuseIPDB score 100/100. Notable payload samples include Modbus Read Device ID requests, MQTT subscribe-all operations (#), and SMBv1 protocol usage indicating targeting of legacy industrial systems.
Threat Assessment: Medium confidence (75%) APT candidate with demonstrated capability across multiple industrial protocols suggesting specialized tooling and infrastructure knowledge.
Recommendations
  • Implement network segmentation between IT and OT environments with strict firewall rules blocking external access to industrial protocol ports (502, 1883, 102)
  • Deploy industrial protocol-aware monitoring solutions capable of detecting Modbus, S7comm, and MQTT anomalies in OT networks
  • Disable SMBv1 protocol across all systems and upgrade legacy industrial HMI/SCADA systems using deprecated protocols
  • Block IP 81.29.142.6 and monitor for similar reconnaissance patterns targeting industrial control system ports
  • Conduct immediate asset inventory of internet-facing industrial systems and remove unnecessary external connectivity
UPDATE 32026-03-17T23:02:14Z
Source: Analyst Manual Entry
Russian-origin IP address 81.29.142.6 conducted sustained multi-protocol reconnaissance targeting industrial control systems, MQTT brokers, and SMB services over 33 days with 399 attack events. This medium-severity threat demonstrates sophisticated targeting of critical infrastructure protocols including Modbus, S7comm, and deprecated SMB1. Immediate network monitoring and access controls for industrial protocols are recommended.
New findings
Threat actor leveraged diverse protocol stack including HTTP/HTTPS, MQTT, Modbus, RDP, SMB, SSH, and TLS across 10 unique destination ports from February 12 14:00 to March 17 13:00, 2026. Primary attack vectors included SMB1 protocol exploitation (T1021.002), industrial control system reconnaissance via S7comm COTP connection requests and Modbus broadcast attacks, and MQTT wildcard subscription attempts for data exfiltration. Source IP exhibits maximum AbuseIPDB reputation score (100/100) with no reverse DNS resolution, suggesting infrastructure specifically configured for malicious activity. Attack patterns indicate early-stage reconnaissance phase with 85% confidence assessment and low zero-day probability (5%).
Recommendations
  • Block IP address 81.29.142.6 at network perimeter and implement geofencing for Russian IP ranges accessing industrial control systems
  • Disable SMB1 protocol across all network segments and implement network segmentation between IT and OT environments
  • Deploy enhanced monitoring for Modbus, S7comm, and MQTT protocols with alerting on broadcast requests and wildcard subscriptions
  • Implement multi-factor authentication for RDP and SSH services with IP allowlisting for administrative access
  • Conduct immediate asset inventory of exposed industrial control systems and MQTT brokers accessible from external networks
UPDATE 22026-03-16T16:02:54Z
Source: Analyst Manual Entry
Russian-origin IP 81.29.142.6 conducted a sustained multi-protocol reconnaissance campaign from February 12 to March 16, 2026, targeting industrial control systems, messaging protocols, and network services with 343 attack events. Assessment indicates MEDIUM threat level with high confidence (85%) representing early-stage reconnaissance activity potentially linked to advanced persistent threat operations. Immediate network monitoring and protocol hardening recommended for affected services.
New findings
Attacker demonstrated broad protocol knowledge targeting HTTP, MQTT, Modbus, RDP, SMB, SSH, TLS, and SMTP services across 10 unique destination ports. Primary attack patterns included deprecated SMB1 protocol exploitation, Siemens S7 COTP connection attempts, MQTT wildcard subscription attacks, and Modbus device identification queries. Activity maps to MITRE technique T1021.002 (SMB/Windows Admin Shares) within the reconnaissance kill chain phase. Source IP 81.29.142.6 originates from AS210259 (LLC Applied Computational Technologies) with maximum AbuseIPDB reputation score (100/100), indicating established malicious infrastructure.
Recommendations
  • Block IP 81.29.142.6 and monitor AS210259 network range for similar reconnaissance patterns
  • Disable SMB1 protocol across all network segments and implement SMB signing requirements
  • Segment industrial control system networks and restrict Modbus/S7 protocol access to authorized management systems only
  • Deploy enhanced monitoring for MQTT wildcard subscription attempts and unauthorized device enumeration
  • Review firewall rules to ensure industrial protocols are not exposed to external networks
UPDATE 12026-03-14T17:42:28Z
Source: batch_hunting
Russian-origin threat actor 81.29.142.6 conducted sustained reconnaissance against industrial control systems and enterprise protocols over 29 days, targeting 11 unique ports with 331 attack events. Assessment: HIGH threat level due to sophisticated ICS-focused attack patterns and maximum abuse scoring. Immediate hardening of industrial network segments and enhanced monitoring of SCADA/ICS protocols recommended.
New findings
Threat actor demonstrated advanced multi-protocol capabilities targeting industrial control systems through S7comm COTP connection requests, Modbus broadcast attacks, and EtherNet/IP registration attempts. Enterprise reconnaissance included SMBv1 exploitation attempts, MQTT wildcard subscription attacks, and SMTP enumeration. Attack volume peaked with SMB-based reconnaissance (8 events) followed by ICS-specific probing (6 events). Source infrastructure: AS210259 LLC Applied Computational Technologies with 100/100 AbuseIPDB reputation score. Activity timeframe: February 12, 2026 14:00 through March 13, 2026 19:00. Primary IOC: 81.29.142.6.
Recommendations
  • Implement network segmentation between IT and OT environments with strict firewall rules blocking unauthorized cross-segment communication
  • Deploy enhanced monitoring for S7comm, Modbus, EtherNet/IP, and MQTT protocols with baseline behavioral analysis
  • Disable SMBv1 across all enterprise systems and audit legacy industrial systems for insecure protocol dependencies
  • Block source IP 81.29.142.6 and monitor for additional infrastructure from AS210259
  • Conduct immediate security assessment of industrial control systems with external network exposure
INITIAL REPORT2026-03-14T16:21:18Z
Source: Analyst Manual Entry
Internet-facing sensors observed 331 malicious events from Russian IP 81.29.142.6 between February 12-March 13, 2026, targeting industrial control systems and enterprise services. The threat actor demonstrated sophisticated multi-protocol reconnaissance and exploitation capabilities across ICS/SCADA, IoT messaging, and traditional enterprise protocols. Activity patterns indicate an automated scanning operation with specific focus on operational technology environments.
Technical details
The threat actor utilized 20+ distinct protocols including specialized industrial control system protocols (Modbus, EtherNet/IP, S7comm), IoT messaging (MQTT), and enterprise services (SMB, RDP, SSH, SMTP). Primary attack techniques included S7comm COTP connection requests (4 instances), SMBv1 exploitation attempts (8 combined instances), MQTT wildcard subscription attacks (2 instances), Modbus broadcast attacks and device identification queries (2 instances), and EtherNet/IP session registration attempts (1 instance). The actor targeted 11 unique destination ports and demonstrated knowledge of legacy SMB implementations through repeated SMBv1 usage detection. MQTT attacks specifically leveraged wildcard subscription patterns and binary payloads, indicating familiarity with IoT device communication protocols. No specific CVEs were observed in the traffic patterns, suggesting the actor relied on protocol-level reconnaissance and service enumeration rather than known vulnerability exploitation.
IOCs
IP:81.29.142.6
ASN:210259
COUNTRY:RU
Threat Assessment
Threat Level CRITICAL
AI Verdict LOW
Confidence 25%
Total Events 453
AbuseIPDB 100/100
Indicators of Compromise
ip 81.29.142.6
country RU
Captured Payloads (6)
high AI_DETECTED SMB:445 
NT LM 0.12
medium ENUMERATION auto:9002 
5a4700000005002b0e01
medium ICS_ATTACK auto:44818 
EtherNet/IP RegisterSession
medium MQTT_ATTACK mqtt:1883 
MQTT SUBSCRIBE packet
medium SMB smb:445 
SMBv1 protocol detected (vulnerable): ff534d42720000000018012800000000
medium SMTP_PROBE TCP:25 
EHLO [SENSOR-IP]