Summary (Bottom Line Up Front)
A threat actor operating from French hosting infrastructure (85.217.140.18) conducted focused attacks against Kubernetes dashboard interfaces over an 11-day period in March 2026, generating 78 security events. The activity demonstrates medium-severity targeting of container orchestration platforms with persistent reconnaissance behavior. The actor employed multiple transport protocols including legacy TLS implementations, suggesting systematic enumeration of Kubernetes management interfaces.
Activity Timeline
INITIAL REPORT2026-03-14T08:40:17Z
Source: Analyst Manual Entry
A threat actor operating from French hosting infrastructure (85.217.140.18) conducted focused attacks against Kubernetes dashboard interfaces over an 11-day period in March 2026, generating 78 security events. The activity demonstrates medium-severity targeting of container orchestration platforms with persistent reconnaissance behavior. The actor employed multiple transport protocols including legacy TLS implementations, suggesting systematic enumeration of Kubernetes management interfaces.
Technical details
The threat actor utilized a multi-protocol approach spanning TCP, HTTP/HTTPS, and TLS communications with specific focus on TLS 1.0 and TLS 1.2+ implementations. Primary attack vector consisted of Kubernetes dashboard access attempts (k8s_dashboard_access pattern), targeting 4 unique destination ports commonly associated with Kubernetes API servers and dashboard services. The activity maps to MITRE ATT&CK techniques T1190 (Exploit Public-Facing Application) and T1613 (Container and Resource Discovery) based on the observed Kubernetes-specific targeting patterns. Traffic analysis revealed systematic probing behavior consistent with automated tooling designed for container infrastructure reconnaissance. The actor's use of both modern and legacy TLS versions indicates broad compatibility testing against diverse Kubernetes deployments.
IOCs
IP:85.217.140.18
ASN:209334
COUNTRY:FR