A notorious Russian hacking group known as Sandworm has shifted its focus from compromised IT networks to operational technology (OT) systems, which are integral to physical infrastructure. This strategic move leverages existing vulnerabilities rather than new exploits, posing significant risks to industrial control systems.
Sandworm: A Persistent Threat
Identified by various aliases such as APT44 and Voodoo Bear, Sandworm is linked to GRU Unit 74455, a Russian military intelligence unit. The group is infamous for past cyber-sabotage campaigns, including attacks on Ukraine’s power grid and the 2017 NotPetya malware outbreak. Unlike financially driven cybercriminals, Sandworm aims to cause disruption and potential physical damage.
Recent analysis by Nozomi Networks, covering data from July 2025 to January 2026, revealed 29 incidents involving Sandworm. The group is known for its methodical and aggressive approach, persisting even when detected.
Exploiting Known Vulnerabilities
The alarming aspect of Sandworm’s latest campaign is its reliance on long-standing, unpatched vulnerabilities. Systems had been issuing high-confidence security alerts for weeks before Sandworm’s arrival, yet these warnings were largely ignored. Common exploit tools like EternalBlue and WannaCry were used to infiltrate environments already compromised by other attackers.
Once inside, Sandworm launched lateral attacks within networks, targeting industrial control systems. A single compromised system was found to attack up to 405 internal targets, focusing on engineering workstations and essential control devices.
Escalation and Defensive Measures
Upon detection, Sandworm does not retreat but instead escalates its activity. This includes increasing alert volumes, introducing new attack methods, and intensifying focus on industrial systems. Partial detection without effective containment can exacerbate the situation.
For effective defense, Nozomi Networks advises treating routine alerts seriously, enforcing network segmentation, and resolving past security breaches. It is crucial to treat engineering workstations and ICS management systems as critical assets, ensuring they remain offline from general internet access.
Sandworm’s exploitation of previously compromised environments underscores the need for strong security fundamentals to prevent such intrusions.
Stay informed with updates on cybersecurity by following us on Google News, LinkedIn, and X. Set CSN as a preferred source on Google for instant updates.
