Sandworm Shifts Focus to Critical OT Assets From IT Systems
Key Takeaways The state-sponsored Russian hacking group Sandworm has intensified its focus on operational technology (OT) systems, moving beyond traditional IT networks to target critical industrial...
Key Takeaways
- The state-sponsored Russian hacking group Sandworm has intensified its focus on operational technology (OT) systems, moving beyond traditional IT networks to target critical industrial infrastructure.
- The group leverages unpatched, well-known vulnerabilities like EternalBlue, DoublePulsar, and WannaCry, often exploiting environments already compromised by other threat actors.
- Sandworm exhibits a methodical, aggressive approach, escalating attacks and targeting more systems, particularly industrial control components, even after initial detection.
- Analysis by Nozomi Networks revealed 29 Sandworm events across 10 industrial clients in seven countries between July 2025 and January 2026.
The notorious Russian state-sponsored hacking collective Sandworm has significantly altered its operational strategy, pivoting from IT network infiltration to direct attacks on operational technology (OT) systems that underpin physical infrastructure. This shift represents a grave escalation in the threat landscape for critical industries.
Table Of Content
Alarmingly, Sandworm’s current campaign does not rely on novel zero-day exploits. Instead, the group systematically exploits existing, unaddressed vulnerabilities, transforming long-neglected security gaps into direct pathways for penetrating industrial control systems (ICS).
Sandworm, also identified as APT44, Seashell Blizzard, and Voodoo Bear, is widely attributed to GRU Unit 74455, the Russian military intelligence unit responsible for cyber sabotage. The group’s history includes highly destructive operations, notably the attacks on Ukraine’s power grid and the devastating global NotPetya malware outbreak in 2017.
Unlike cybercriminal organizations motivated by financial gain, Sandworm operates with a singular objective: to cause widespread disruption and, when deemed necessary, physical damage to infrastructure.
Researchers at Nozomi Networks conducted an in-depth analysis of anonymized telemetry data collected from 10 industrial clients across seven countries. This data, covering activity from July 2025 through January 2026, confirmed 29 distinct Sandworm incidents. The findings paint a picture of a threat actor that operates with precision, scales its attacks rapidly, and demonstrates persistence even when discovered.
A particularly concerning aspect of this campaign is its preventability. Every compromised system had generated numerous high-confidence security alerts for weeks or even months before Sandworm’s arrival. These critical warnings, unfortunately, went unaddressed.
From IT Footholds to OT Targets
On average, the systems targeted by Sandworm had been signaling compromise for an average of 43 days. These were not stealthy intrusions; they were noisy, well-documented attacks that were not investigated in a timely manner.
The exploit chains utilized by Sandworm include well-known vulnerabilities such as EternalBlue, DoublePulsar, and WannaCry. These tools have been publicly documented and patchable for years, highlighting a significant failure in basic cyber hygiene.
Sandworm did not require new attack vectors. It frequently infiltrated environments that had already been compromised by other attackers, then leveraged these existing footholds to expand its presence deeper into operational technology domains.
Once Sandworm established a presence within a network, it did not remain dormant. Seventeen infected machines initiated lateral movement attacks, targeting 923 distinct internal systems. In one extreme case, a single compromised host independently targeted 405 internal systems, and one infection event led to a 12-fold surge in security alert volume. The targets were not arbitrary.
Sandworm exhibited a clear intention to reach industrial control systems, directly impacting critical components such as engineering workstations, human-machine interfaces (HMIs), and field controllers, including remote terminal units (RTUs), programmable logic controllers (PLCs), and intelligent electronic devices (IEDs).
At one victim location, 286 engineering workstations were specifically targeted, while another site saw 95 HMIs in the crosshairs. These are not merely IT assets; they are the interface points that manage physical equipment in critical sectors like manufacturing, energy generation, and transportation networks.
Nozomi Networks researchers also observed a predictable operational rhythm in Sandworm’s activity, with attacks typically peaking on Wednesdays around 2:00 PM Moscow time. This consistent, almost bureaucratic schedule suggests a highly organized, centrally managed operation, aligning with the typical workweek structure of Russian government and military units.
Escalation After Detection and Defensive Steps
One of the most alarming revelations from the research is Sandworm’s response to detection. Rather than withdrawing, the group tends to escalate its activities. Across all affected environments, alert volumes increased, new attack types emerged, more systems became targets, and the focus intensified on industrial control systems after initial detection.
Most victims experienced escalation across four to six of seven measurable dimensions simultaneously. This critical finding indicates that partial detection without complete containment can exacerbate the situation, potentially leading to more severe outcomes.
Therefore, security teams must prioritize rapid isolation following detection, especially for any system with access to operational technology. Incident response plans should anticipate that Sandworm will intensify its efforts once spotted, rather than retreating.
Nozomi Networks advises treating even seemingly routine alerts, such as detections of EternalBlue or Cobalt Strike, as significant strategic warnings instead of mere background noise. Defenders should prioritize fundamental cybersecurity hygiene, eliminate legacy protocols, enforce robust network segmentation between IT and OT environments, and ensure that past compromises are fully resolved rather than merely contained.
Engineering workstations and ICS management systems must be classified as critical assets, kept isolated from general internet access, and subjected to rigorous monitoring. Sandworm consistently exploited environments that were already compromised and capitalized on long-standing security deficiencies, suggesting that strong foundational security practices could have prevented many of these intrusions entirely.
What You Should Do
- Implement robust network segmentation to create clear boundaries between IT and OT environments.
- Prioritize patching for known vulnerabilities, especially those exploited by Sandworm such as EternalBlue, DoublePulsar, and WannaCry.
- Treat all security alerts, even seemingly low-priority ones, as potential indicators of a more significant threat and investigate them thoroughly.
- Ensure engineering workstations and ICS management systems are isolated from the internet and general IT networks, and monitor them with heightened vigilance.
- Develop and regularly test incident response plans that account for Sandworm’s tendency to escalate attacks upon detection.
- Conduct regular security audits and vulnerability assessments to identify and remediate long-standing security gaps and unpatched systems.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.