On Sun, 19 Jun 2022 08:06:59 -0400 Dovid Bender <dovid@telecurve.com> wrote:
I don't know who is doing it. I just know that IL Cert contacted our parent company which has an ISP in Israel when things were "hot".
Some national government infrastructure protection organizations will relay notifications to local provider networks (e.g., abuse@) based on reputable third party surveyors (aka network scanner operators). I think it is safe to assume this is generally done as a public service, but perhaps with some mandates to measure and minimize risk within a country's borders. Most providers will usually convey the notification is fairly strong language, usually demanding some sort of response and if applicable, remediation. The reports can contain false positives (e.g., when scanners cannot differentiate between vulnerable systems and honeypots). It isn't always clear based on the relayed reports who is running the scans, but in my experience Shadowserver is the most widely used and cited. There are of course lots of others running scans. Commercially, Greynoise tracks many of them. A research-based tracker is also available here: <https://gitlab.com/mcollins_at_isi/acknowledged_scanners> John