UPDATE 32026-03-27T10:25:50Z

Source: Analyst Manual Entry

IP address 91.224.92.114 conducted 49 targeted attacks against industrial control systems between February 18, 2026 14:00 and March 16, 2026 10:00, primarily leveraging Siemens S7 communication protocols. This represents a MEDIUM threat level with moderate confidence, indicating potential reconnaissance or exploitation attempts against critical infrastructure. Network defenders should immediately review ICS network segmentation and monitor for S7comm protocol anomalies.

New findings

Attack Vector: Threat actor utilized Modbus and S7comm protocols to target industrial control systems across 3 unique destination ports over a 26-day period. Primary attack pattern involved S7comm COTP (Connection Oriented Transport Protocol) connection requests on non-standard port 9001, with 10 confirmed connection attempts. Activity maps to MITRE ATT&CK technique T1040 (Network Sniffing), suggesting reconnaissance phase operations. The attacker demonstrated knowledge of industrial protocols including Siemens S7 communication standards, indicating potential familiarity with SCADA/HMI environments.

Key IOCs:

Recommendations

UPDATE 22026-03-24T06:38:14Z

Source: Analyst Manual Entry

A sophisticated threat actor operating from Lithuania (91.224.92.114) has been conducting targeted attacks against industrial control systems using malformed S7comm protocol packets over a 26-day period ending March 16, 2026. This represents a HIGH severity threat with 85% confidence, specifically targeting Siemens S7 PLC infrastructure through non-standard communication channels. Immediate containment and ICS network segmentation review is recommended.

New findings

Attack Profile: 49 malicious events detected between February 18-March 16, 2026, originating from AS209605 cloud hosting infrastructure in Kaunas, Lithuania. The attacker demonstrates advanced ICS knowledge by targeting Modbus and proprietary S7comm protocols on non-standard port 9001. MITRE Mapping: T0846 (Remote System Discovery) within the ICS kill chain exploitation phase. Key IOCs: Source IP 91.224.92.114 with AbuseIPDB score 100/100, Windows Server 2022 fingerprint, open ports 135/137/445/5985/47001 indicating potential lateral movement capabilities. Attack Vector: S7comm COTP Connection Request packets with embedded authentication bypass attempts, suggesting reconnaissance of Siemens PLC infrastructure and potential protocol parsing vulnerability exploitation.

Recommendations

UPDATE 12026-03-14T08:36:17Z

Source: Analyst Manual Entry

Internet-facing sensors observed a cloud-hosted actor from Lithuania conducting targeted attacks against industrial control systems over a 19-day period from February 18-March 9, 2026. The threat actor demonstrated specialized knowledge of industrial protocols, specifically executing Siemens S7 communication attempts and COTP connection requests against operational technology infrastructure. Activity patterns indicate a focused, persistent campaign rather than opportunistic scanning.

New findings

The actor operated from IP 91.224.92.114 (AS209605, Lithuania) running Windows Server 2022 (build 10.0.20348) with multiple exposed services including SMB (445), WinRM (5985), and RPC endpoints (135, 137, 47001). Primary attack vectors utilized Modbus and S7comm protocols targeting industrial control systems. Specific techniques included s7comm_cotp_connect_request attempts classified as medium-severity ICS attacks. The actor targeted 3 unique destination ports across 43 distinct events, with activity mapped to MITRE ATT&CK techniques for industrial system discovery and protocol exploitation. Traffic analysis revealed structured communication attempts consistent with SCADA/HMI enumeration rather than broad network reconnaissance.

INITIAL REPORT2026-03-14T08:34:31Z

Source: Analyst Manual Entry

Internet-facing sensors observed targeted industrial control system (ICS) attacks originating from a Lithuanian cloud hosting provider between February 18-March 9, 2026. The threat actor demonstrated focused reconnaissance and exploitation attempts against Siemens S7 communication protocols, indicating specialized knowledge of industrial automation systems. Activity patterns suggest a persistent, methodical approach to ICS infrastructure targeting rather than opportunistic scanning.

Technical details

The threat actor primarily utilized Modbus and S7comm protocols to target industrial control systems. Eight instances of s7comm_cotp_connect_request attacks were observed, indicating attempts to establish connections with Siemens S7 PLCs using the Connection Oriented Transport Protocol (COTP). The attacks map to MITRE ATT&CK technique T0802 (Automated Collection) and T0885 (Commonly Used Port) within the ICS framework. Traffic analysis revealed the actor targeted three unique destination ports associated with industrial protocols. The source system exhibited characteristics consistent with Windows Server 2022 (build 10.0.20348) with multiple open ports including 135 (RPC), 137 (NetBIOS), 445 (SMB), 5985 (WinRM), and 47001 (WinRM HTTPS), suggesting a compromised server infrastructure being leveraged for attacks.

IOCs