Back

Sandworm Targets Critical Infrastructure with Aggressive OT Attacks

Severity: High (Score: 76.5)

Sources: www.nozominetworks.com, Gbhackers, Industrialcyber.Co

Summary

The Russian state-sponsored group Sandworm has intensified its cyber operations against industrial and critical infrastructure, utilizing pre-compromised operational technology (OT) environments instead of zero-day exploits. Research by Nozomi Networks revealed 29 confirmed Sandworm-related incidents from July 2025 to January 2026, affecting sectors like manufacturing and transportation. The group employed legacy malware and older attack vectors such as EternalBlue and WannaCry, showing a preference for lateral movement within networks. Notably, Sandworm escalates its activities after detection, often increasing operational disruption. The attacks align with Moscow's working hours, indicating a structured operational approach. Systems targeted include engineering workstations, HMIs, and PLCs, with one compromised machine attempting to access 923 unique internal targets. The findings highlight the need for improved detection and response strategies to mitigate Sandworm's impact. Key Points: • Sandworm is exploiting pre-compromised OT environments instead of zero-day vulnerabilities. • The group has conducted 29 confirmed attacks on critical infrastructure since mid-2025. • Sandworm escalates operations post-detection, increasing disruption to targeted systems.

Key Entities

  • Apt44 (apt_group)
  • Sandworm (apt_group)
  • Seashell Blizzard (apt_group)
  • Voodoo Bear (apt_group)
  • Botnet (attack_type)
  • Malware (attack_type)
  • Belgium (country)
  • Colombia (country)
  • Germany (country)
  • Mexico (country)
  • Russia (country)
  • Cwe-502 - Deserialization Of Untrusted Data (cwe)
  • activity.in (domain)
  • bear.by (domain)
  • wannacry.in (domain)
  • Computer Equipment (industry)
  • Food Production (industry)
  • Manufacturing (industry)
  • Motor Vehicles (industry)
  • Pharmaceuticals (industry)
  • NotPetya (malware)
  • Cobalt Strike (malware)
  • WannaCry (ransomware_group)
  • T1021 - Remote Services (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • T1190 - Exploit Public-Facing Application (mitre_attack)
  • Industrial Control Systems (platform)
  • Metasploit (tool)
  • EternalBlue (vulnerability)
  • Log4Shell (vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed