Sandworm Hackers Escalate Attacks from IT Networks to Critical Operational Technology Systems
A Russian state-sponsored hacking group known as Sandworm has been identified shifting its focus from compromised IT networks to operational technology (OT) systems that control physical infrastructure. This strategic move is particularly concerning as it exploits existing vulnerabilities rather than relying on new exploits, turning unresolved security gaps into gateways for attacks on industrial control systems.
Sandworm, also tracked as APT44, Seashell Blizzard, and Voodoo Bear, is attributed to GRU Unit 74455, Russia’s military intelligence cyber sabotage unit. The group has a history of disruptive activities, including the Ukrainian power grid attacks and the 2017 NotPetya malware outbreak. Unlike financially motivated ransomware gangs, Sandworm’s primary mission is to cause disruption and, when necessary, physical damage.
Researchers at Nozomi Networks analyzed anonymized telemetry from 10 industrial customers across seven countries, covering activity from July 2025 through January 2026. The analysis confirmed 29 separate Sandworm events, revealing a threat actor that moves methodically, scales aggressively, and does not retreat when discovered.
What makes this campaign particularly troubling is how preventable much of it was. Every infected system had generated weeks or months of high-confidence security alerts long before Sandworm arrived. On average, compromised systems had been sending warning signals for 43 days. These were not quiet intrusions but noisy, well-documented attacks that went uninvestigated.
The exploit chains in play included EternalBlue, DoublePulsar, and WannaCry, all tools that have been publicly known and patchable for years. Sandworm did not need any new tricks; it moved into environments that other attackers had already taken over and used those footholds to push deeper into industrial territory.
Once Sandworm established a presence inside a network, it did not stay quiet. Seventeen infected machines launched lateral movement attacks against 923 unique internal targets. In the most extreme case, a single compromised host targeted 405 internal systems on its own, and one infection event caused a 12-fold spike in alert volume. The targets were not random; Sandworm showed clear intent to reach industrial control systems, directly hitting engineering workstations, human-machine interfaces (HMIs), and field controllers, including remote terminal units, programmable logic controllers, and intelligent electronic devices.
At one victim site, 286 engineering workstations were targeted, while another saw 95 HMIs in the crosshairs. These are not just computers; they manage physical equipment in factories, power plants, and transportation networks.
Nozomi Networks researchers also noted that Sandworm activity follows a predictable schedule, peaking on Wednesdays around 2:00 PM Moscow time. This bureaucratic regularity suggests a well-organized operation with a clear timetable.
