www.nozominetworks.com
Sandworm Targets Critical Infrastructure with Aggressive OT Attacks
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
The Russian state-sponsored group Sandworm has intensified its cyber operations against industrial and critical infrastructure, utilizing pre-compromised operational technology (OT) environments instead of zero-day exploits. Research by Nozomi Networks revealed 29 confirmed Sandworm-related incidents from July 2025 to January 2026, affecting sectors like manufacturing and transportation. The group employed legacy malware and older attack vectors such as EternalBlue and WannaCry, showing a preference for lateral movement within networks. Notably, Sandworm escalates its activities after detection, often increasing operational disruption. The attacks align with Moscow's working hours, indicating a structured operational approach. Systems targeted include engineering workstations, HMIs, and PLCs, with one compromised machine attempting to access 923 unique internal targets. The findings highlight the need for improved detection and response strategies to mitigate Sandworm's impact.
Key Points: • Sandworm is exploiting pre-compromised OT environments instead of zero-day vulnerabilities. • The group has conducted 29 confirmed attacks on critical infrastructure since mid-2025. • Sandworm escalates operations post-detection, increasing disruption to targeted systems.