Back

Sandworm Targets Industrial Control Systems with Pre-Compromised Environments

Severity: High (Score: 75.6)

Sources: www.nozominetworks.com, Industrialcyber.Co

Summary

Russian state-sponsored group Sandworm has been observed exploiting pre-compromised operational technology (OT) environments rather than zero-day vulnerabilities. An analysis by Nozomi Networks revealed 29 confirmed Sandworm-related events across 10 industrial organizations in seven countries from July 2025 to January 2026. The attacks primarily affected manufacturing and transportation sectors, targeting systems such as engineering workstations, HMIs, PLCs, and RTUs. Sandworm's tactics included using older malware like EternalBlue, WannaCry, and Log4Shell, with a significant lateral movement observed—one machine targeting 405 internal systems. The group escalates its operations after detection, increasing activity to maximize disruption. The report emphasizes the need for rapid containment to mitigate the threat posed by Sandworm. The findings align with recent geopolitical tensions involving critical infrastructure attacks in Europe and the U.S. Key Points: • Sandworm exploits pre-compromised OT environments, avoiding zero-day vulnerabilities. • 29 confirmed Sandworm-related events were identified across 10 organizations in seven countries. • The group escalates attacks after detection, targeting critical infrastructure systems.

Key Entities

  • Apt44 (apt_group)
  • Sandworm (apt_group)
  • Seashell Blizzard (apt_group)
  • Voodoo Bear (apt_group)
  • Botnet (attack_type)
  • Malware (attack_type)
  • Belgium (country)
  • Colombia (country)
  • Germany (country)
  • Mexico (country)
  • Russia (country)
  • Cwe-502 - Deserialization Of Untrusted Data (cwe)
  • activity.in (domain)
  • bear.by (domain)
  • wannacry.in (domain)
  • Computer Equipment (industry)
  • Food Production (industry)
  • Manufacturing (industry)
  • Motor Vehicles (industry)
  • Pharmaceuticals (industry)
  • NotPetya (malware)
  • Cobalt Strike (malware)
  • WannaCry (ransomware_group)
  • T1021 - Remote Services (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • T1190 - Exploit Public-Facing Application (mitre_attack)
  • Industrial Control Systems (platform)
  • Metasploit (tool)
  • EternalBlue (vulnerability)
  • Log4Shell (vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed