Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/Threats/Sandworm Shifts Focus to Critical OT Assets From IT Systems
Threats

Sandworm Shifts Focus to Critical OT Assets From IT Systems

Key Takeaways The state-sponsored Russian hacking group Sandworm has intensified its focus on operational technology (OT) systems, moving beyond traditional IT networks to target critical industrial...

Jennifer sherman
Jennifer sherman
May 14, 2026 4 Min Read
51 0

Key Takeaways

  • The state-sponsored Russian hacking group Sandworm has intensified its focus on operational technology (OT) systems, moving beyond traditional IT networks to target critical industrial infrastructure.
  • The group leverages unpatched, well-known vulnerabilities like EternalBlue, DoublePulsar, and WannaCry, often exploiting environments already compromised by other threat actors.
  • Sandworm exhibits a methodical, aggressive approach, escalating attacks and targeting more systems, particularly industrial control components, even after initial detection.
  • Analysis by Nozomi Networks revealed 29 Sandworm events across 10 industrial clients in seven countries between July 2025 and January 2026.

The notorious Russian state-sponsored hacking collective Sandworm has significantly altered its operational strategy, pivoting from IT network infiltration to direct attacks on operational technology (OT) systems that underpin physical infrastructure. This shift represents a grave escalation in the threat landscape for critical industries.

Table Of Content

  • Key Takeaways
  • From IT Footholds to OT Targets
  • Escalation After Detection and Defensive Steps
  • What You Should Do

Alarmingly, Sandworm’s current campaign does not rely on novel zero-day exploits. Instead, the group systematically exploits existing, unaddressed vulnerabilities, transforming long-neglected security gaps into direct pathways for penetrating industrial control systems (ICS).

Sandworm, also identified as APT44, Seashell Blizzard, and Voodoo Bear, is widely attributed to GRU Unit 74455, the Russian military intelligence unit responsible for cyber sabotage. The group’s history includes highly destructive operations, notably the attacks on Ukraine’s power grid and the devastating global NotPetya malware outbreak in 2017.

Unlike cybercriminal organizations motivated by financial gain, Sandworm operates with a singular objective: to cause widespread disruption and, when deemed necessary, physical damage to infrastructure.

Researchers at Nozomi Networks conducted an in-depth analysis of anonymized telemetry data collected from 10 industrial clients across seven countries. This data, covering activity from July 2025 through January 2026, confirmed 29 distinct Sandworm incidents. The findings paint a picture of a threat actor that operates with precision, scales its attacks rapidly, and demonstrates persistence even when discovered.

A particularly concerning aspect of this campaign is its preventability. Every compromised system had generated numerous high-confidence security alerts for weeks or even months before Sandworm’s arrival. These critical warnings, unfortunately, went unaddressed.

From IT Footholds to OT Targets

On average, the systems targeted by Sandworm had been signaling compromise for an average of 43 days. These were not stealthy intrusions; they were noisy, well-documented attacks that were not investigated in a timely manner.

The exploit chains utilized by Sandworm include well-known vulnerabilities such as EternalBlue, DoublePulsar, and WannaCry. These tools have been publicly documented and patchable for years, highlighting a significant failure in basic cyber hygiene.

Sandworm did not require new attack vectors. It frequently infiltrated environments that had already been compromised by other attackers, then leveraged these existing footholds to expand its presence deeper into operational technology domains.

Once Sandworm established a presence within a network, it did not remain dormant. Seventeen infected machines initiated lateral movement attacks, targeting 923 distinct internal systems. In one extreme case, a single compromised host independently targeted 405 internal systems, and one infection event led to a 12-fold surge in security alert volume. The targets were not arbitrary.

Sandworm exhibited a clear intention to reach industrial control systems, directly impacting critical components such as engineering workstations, human-machine interfaces (HMIs), and field controllers, including remote terminal units (RTUs), programmable logic controllers (PLCs), and intelligent electronic devices (IEDs).

At one victim location, 286 engineering workstations were specifically targeted, while another site saw 95 HMIs in the crosshairs. These are not merely IT assets; they are the interface points that manage physical equipment in critical sectors like manufacturing, energy generation, and transportation networks.

Nozomi Networks researchers also observed a predictable operational rhythm in Sandworm’s activity, with attacks typically peaking on Wednesdays around 2:00 PM Moscow time. This consistent, almost bureaucratic schedule suggests a highly organized, centrally managed operation, aligning with the typical workweek structure of Russian government and military units.

Escalation After Detection and Defensive Steps

One of the most alarming revelations from the research is Sandworm’s response to detection. Rather than withdrawing, the group tends to escalate its activities. Across all affected environments, alert volumes increased, new attack types emerged, more systems became targets, and the focus intensified on industrial control systems after initial detection.

Most victims experienced escalation across four to six of seven measurable dimensions simultaneously. This critical finding indicates that partial detection without complete containment can exacerbate the situation, potentially leading to more severe outcomes.

Therefore, security teams must prioritize rapid isolation following detection, especially for any system with access to operational technology. Incident response plans should anticipate that Sandworm will intensify its efforts once spotted, rather than retreating.

Nozomi Networks advises treating even seemingly routine alerts, such as detections of EternalBlue or Cobalt Strike, as significant strategic warnings instead of mere background noise. Defenders should prioritize fundamental cybersecurity hygiene, eliminate legacy protocols, enforce robust network segmentation between IT and OT environments, and ensure that past compromises are fully resolved rather than merely contained.

Engineering workstations and ICS management systems must be classified as critical assets, kept isolated from general internet access, and subjected to rigorous monitoring. Sandworm consistently exploited environments that were already compromised and capitalized on long-standing security deficiencies, suggesting that strong foundational security practices could have prevented many of these intrusions entirely.

What You Should Do

  • Implement robust network segmentation to create clear boundaries between IT and OT environments.
  • Prioritize patching for known vulnerabilities, especially those exploited by Sandworm such as EternalBlue, DoublePulsar, and WannaCry.
  • Treat all security alerts, even seemingly low-priority ones, as potential indicators of a more significant threat and investigate them thoroughly.
  • Ensure engineering workstations and ICS management systems are isolated from the internet and general IT networks, and monitor them with heightened vigilance.
  • Develop and regularly test incident response plans that account for Sandworm’s tendency to escalate attacks upon detection.
  • Conduct regular security audits and vulnerability assessments to identify and remediate long-standing security gaps and unpatched systems.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwarePatchransomwareSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

New Malware Framework Grants Screen Control, Browser Access, UAC Bypass

Next Post

Chinese APT Exploits Critical Microsoft Exchange Vulnerability to Breach Energy Sector

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us