85.217.140.13

Summary (Bottom Line Up Front)

Threat actor operating from IP 85.217.140.13 (AS209334 Modat B.V., France) conducted sustained reconnaissance targeting industrial control systems using Modbus protocol scanning from February 18 to March 13, 2026. Assessment indicates medium threat level with 71 recorded events demonstrating persistent reconnaissance behavior against critical infrastructure protocols. Network defenders should immediately review Modbus-enabled assets and implement enhanced monitoring for industrial control system protocols.

Modbus TCP TCP/SYN TLS TLS/1.0 TLS/1.2+ auto https

SCANNER

Activity Timeline

INITIAL REPORT2026-03-14T17:48:11Z

Source: batch_hunting

Technical details

Attack Vector: Network reconnaissance targeting industrial control systems
Protocols Observed: Modbus, TCP, TLS (1.0, 1.2+), HTTPS
Attack Volume: 71 events over 23-day period (February 18 20:00 - March 13 00:00, 2026)
Targeting Pattern: Focused scanning against 2 unique destination ports
MITRE ATT&CK Mapping: T1046 (Network Service Scanning), T1595.002 (Active Scanning: Vulnerability Scanning)
Threat Classification: Scanner-Modat pattern with medium confidence
IOC: 85.217.140.13 (AbuseIPDB score: 100/100)

IOCs

IP:85.217.140.13

ASN:209334

COUNTRY:FR

Recommendations

Implement network segmentation to isolate Modbus and other industrial control system protocols from internet-facing networks
Deploy enhanced monitoring and alerting for Modbus protocol traffic, particularly from external IP ranges
Review and audit all assets running Modbus services for unnecessary internet exposure and disable if not required
Configure firewall rules to block traffic from AS209334 (Modat B.V.) if no legitimate business requirements exist
Conduct vulnerability assessments on all industrial control system components to identify potential exploitation targets