Summary (Bottom Line Up Front)
Russian-origin IP address 95.25.169.123 conducted sustained SMBv1 protocol reconnaissance against non-standard port 9001 over a 15-day period from February 15-March 2, 2026. This activity represents HIGH-risk reconnaissance likely preparing for lateral movement exploitation of legacy SMB services. Organizations should immediately audit SMB exposure and disable SMBv1 protocol support.
Activity Timeline
UPDATE 12026-03-23T14:10:04Z
Source: Analyst Manual Entry
Russian-origin IP address 95.25.169.123 conducted sustained SMBv1 protocol reconnaissance against non-standard port 9001 over a 15-day period from February 15-March 2, 2026. This activity represents HIGH-risk reconnaissance likely preparing for lateral movement exploitation of legacy SMB services. Organizations should immediately audit SMB exposure and disable SMBv1 protocol support.
New findings
Attack Vector: External reconnaissance targeting SMBv1 protocol negotiation on TCP port 9001
Volume: 79 events over 15-day campaign window
MITRE Technique: T1046 (Network Service Scanning)
Kill Chain Phase: Reconnaissance
Key Indicators: SMBv1 dialect negotiation attempts including legacy protocols (PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, NT LM 0.12)
Source Attribution: AS3216 PVimpelCom, Russian Federation
Protocol Abuse: Modbus and SMB protocols on non-standard ports suggesting evasion techniques
IOC: 95.25.169.123
Recommendations
- Block IP address 95.25.169.123 at network perimeter and monitor for additional reconnaissance from AS3216 address space
- Conduct immediate audit of all SMB services exposed to external networks and restrict access to trusted sources only
- Disable SMBv1 protocol support across all Windows systems and network devices to eliminate EternalBlue attack vectors
- Implement network segmentation to prevent lateral movement between critical systems and user networks
- Deploy enhanced monitoring for SMB traffic on non-standard ports and legacy protocol negotiation attempts
INITIAL REPORT2026-03-23T13:08:17Z
Source: Analyst Manual Entry
Russian-originating IP address 95.25.169.123 conducted sustained SMBv1 protocol reconnaissance against non-standard port 9001 over a 15-day period from February 15-March 2, 2026. This activity represents MEDIUM-risk reconnaissance using legacy SMB protocols that could precede exploitation attempts. Organizations should immediately verify SMBv1 is disabled and monitor for follow-up attacks targeting discovered services.
Technical details
The threat actor conducted 79 reconnaissance events using deprecated SMBv1 protocol negotiations, specifically targeting TCP port 9001. Analysis identified MITRE technique T1046 (Network Service Scanning) with captured SMB dialect negotiations including "NT LM 0.12", "LANMAN2.1", and "Windows for Workgroups 3.1a" strings. The campaign originated from AS3216 (PVimpelCom) infrastructure with no current reputation indicators. Attack patterns included legacy SMB dialect negotiation attempts with both medium and high-severity classifications. The non-standard port targeting (9001 vs typical 445/139) suggests potential evasion tactics or targeting of custom SMB implementations.
IOCs
IP:95.25.169.123
ASN:3216
COUNTRY:RU
Recommendations
- Immediately audit and disable SMBv1 protocol across all network infrastructure and endpoints
- Implement network monitoring for SMBv1 traffic on non-standard ports, particularly 9001
- Block inbound connections from 95.25.169.123 and monitor for lateral movement from this source
- Review firewall rules to ensure SMB ports (139, 445, and custom implementations) are not exposed to external networks
- Deploy enhanced logging for SMB protocol negotiations to detect similar reconnaissance attempts