87.236.176.5

Summary (Bottom Line Up Front)

A high-severity Modbus TCP reconnaissance attack has been detected from IP 87.236.176.5 (Leeds, GB) targeting industrial control systems between February 21-March 6, 2026. The attacker employed broadcast diagnostics queries to enumerate ICS/OT devices, representing active network reconnaissance with potential for follow-on exploitation. Immediate blocking and enhanced OT network monitoring are recommended.

Modbus Unknown auto

ICS_ATTACK

Activity Timeline

INITIAL REPORT2026-03-10T17:26:15Z

Source: Analyst Manual Entry

Technical details

The threat actor utilized Modbus TCP protocol with Function Code 0x08 (Diagnostics) and broadcast Unit ID to perform device enumeration across industrial networks. Attack activity spanned 13 days with 3 distinct events targeting port 9001, consistent with MITRE ATT&CK technique T1046 (Network Service Scanning). The source IP (87.236.176.5) operates from AS211298 Driftnet Ltd with a maximum AbuseIPDB reputation score of 100/100, indicating established malicious activity. Open ports 53 and 80 suggest additional attack vectors, while the absence of VPN/proxy infrastructure indicates direct targeting methodology.

IOCs

IP:87.236.176.5

ASN:211298

COUNTRY:GB

Recommendations

Block IP 87.236.176.5 at network perimeter and implement monitoring for AS211298 (Driftnet Ltd) address space
Deploy enhanced logging and alerting for Modbus TCP traffic, particularly Function Code 0x08 diagnostic requests with broadcast Unit IDs
Conduct immediate audit of ICS/OT network segmentation to ensure proper isolation from corporate networks
Review and harden Modbus TCP configurations to disable unnecessary diagnostic functions and implement authentication where possible
Establish baseline monitoring for port 9001 and other common ICS protocols to detect similar reconnaissance attempts