my bet is on an assessor mis-scanning an ip range during a scheduled network assessment. having been in those trenches, this is how it was firmly explained to me every week when tasks were delegated: "double and triple-check all your target ip addresses. we don't want someone outside the network complaining about a scan, that's a reportable incident and makes us look like douches when we are trying to get new business with the fed client."