Sandworm hackers are using old IT compromises to reach critical OT systems

Russian state-linked Sandworm hackers are moving from already compromised IT systems toward operational technology environments that control physical infrastructure, according to new research from Nozomi Networks.

The findings show that the group does not always need zero-day exploits to threaten industrial sites. In the observed cases, Sandworm used long-standing infections, old exploit chains, and unresolved security alerts as stepping stones into industrial networks.

Nozomi Networks analyzed more than 5.5 million alerts from 10 industrial customers across seven countries between July 2025 and January 2026. Researchers identified 29 confirmed Sandworm events inside that dataset.

Sandworm is targeting the path between IT and OT

Sandworm, also known as APT44, Seashell Blizzard, Voodoo Bear, IRIDIUM, and FROZENBARENTS, has a long history of destructive cyber operations. MITRE links the group to Russia’s GRU Unit 74455 and lists past operations involving Ukrainian power companies, NotPetya, Olympic Destroyer, and attacks against Georgia.

Nozomi’s latest analysis focuses less on new malware and more on how the group behaves inside industrial environments. The key finding is direct and troubling: Sandworm can turn old IT compromises into launch points for deeper OT activity.

This matters because OT systems manage physical processes in sectors such as manufacturing, transportation, power, water, and critical infrastructure. A compromise that starts on a normal IT workstation can become much more serious if attackers reach engineering workstations, HMIs, PLCs, RTUs, or other control assets.

Finding	Detail
Research period	July 2025 through January 2026
Data reviewed	5,543,865 alerts
Customer environments	10 industrial customers in seven countries
Confirmed Sandworm events	29 events
ICS-related alerts	1,141,348 alerts, or 20.6% of the total
Average warning period	43 days before Sandworm activity

Old malware gave Sandworm a path inside

Nozomi found that compromised systems had already produced serious alerts before Sandworm activity began. Some systems showed warning signs for 20 to 155 days, with an average warning period of 43 days.

The alerts were not tied only to rare or highly specialized tooling. Researchers saw exploit chains and activity involving EternalBlue, DoublePulsar, WannaCry, Cobalt Strike, Metasploit, remote access tools, and Log4Shell.

That pattern changes how defenders should view routine security alerts in industrial environments. A known exploit or old malware infection may look like background noise, but it can create the exact foothold a state-backed actor needs.

• Three victims with the widest lateral movement already showed EternalBlue, DoublePulsar, and WannaCry activity.
• Four more victims had command-and-control activity linked to Cobalt Strike, Metasploit, or remote access tools.
• A second wave of infections at three victims used Log4Shell as the initial access vector.
• Every Sandworm-infected system showed earlier warning alerts before the group was detected.

Lateral movement reached hundreds of internal targets

Once Sandworm was present, the group moved aggressively. Nozomi identified 17 infected machines that conducted lateral movement against 923 unique internal targets.

In the most extreme case, one infected host attempted lateral movement against 405 internal systems. One infection event also triggered a 12-fold increase in alert volume.

The activity did not look random. Sandworm targeted systems that sit close to industrial operations, including engineering workstations, human machine interfaces, field controllers, remote terminal units, programmable logic controllers, and intelligent electronic devices.

Observed activity	Why it matters
923 unique internal targets	Shows broad lateral movement from infected machines
405 targets from one host	Shows how one compromised system can create wide internal exposure
286 engineering workstations targeted at one victim	Shows direct interest in systems used to manage industrial processes
95 HMIs targeted at another victim	Shows focus on systems that operators use to monitor and control equipment
Field controllers targeted in three victims	Shows intent to move closer to physical process control

Sandworm appears to escalate after detection

Nozomi reported that Sandworm activity intensified after detection in every affected environment across at least one measured dimension. The researchers noted that they do not know whether the attackers realized they had been detected.

Even so, the pattern matters for incident response teams. Instead of assuming that a detected intruder will leave, defenders should prepare for more scanning, more tools, more ports, more target systems, and a stronger focus on OT assets.

Most victims saw escalation across several dimensions at the same time. Two victims saw escalation across six of seven dimensions, one victim saw five, and four victims saw four.

• Alert volume increased after detection.
• More alert categories appeared.
• More malware or threat identifiers appeared.
• New attack types were observed.
• More destination IPs were contacted.
• More destination ports were probed.
• MITRE ATT&CK tactics shifted toward more dangerous outcomes.

Why the timing matters

Nozomi also found that Sandworm activity aligned with Russian government working hours. The highest alert volume appeared on Wednesday at about 2:00 PM Moscow time.

The researchers said this timing suggests a structured and centrally directed operation rather than random or purely automated activity. That fits Sandworm’s profile as a state-linked threat actor with a history of strategic disruption.

For defenders, timing should not replace technical evidence. But it can help security teams understand whether activity looks like automated malware, criminal opportunism, or a more organized operator-driven campaign.

What critical infrastructure defenders should do

The main lesson from Nozomi’s report is that prevention starts before Sandworm arrives. Many of the affected systems had already shown serious compromise signals long before Sandworm activity appeared.

Security teams should treat old malware detections, exposed legacy services, and active command-and-control alerts as urgent issues in OT-connected environments. Delayed investigation gives attackers more time to convert basic IT access into operational risk.

Organizations should also isolate systems with OT access quickly during an incident. Partial containment can leave attackers room to adapt, expand, and move toward more sensitive industrial assets.

1. Investigate EternalBlue, Log4Shell, Cobalt Strike, RAT, and command-and-control alerts quickly.
2. Remove old infections instead of only blocking visible activity.
3. Segment IT networks from OT networks and restrict cross-zone access.
4. Apply stronger controls to engineering workstations and ICS management hosts.
5. Prevent engineering systems from general internet browsing and routine IT tasks.
6. Monitor internal scanning, unusual authentication attempts, and service enumeration.
7. Prepare incident response plans that assume attacker escalation after detection.

Sandworm activity is a strategic warning

Sandworm’s track record makes this campaign more serious than normal malware cleanup. MITRE and other public reporting connect the group to destructive operations, including attacks against Ukrainian electric power companies and the NotPetya outbreak.

Nozomi’s research shows that the group can use familiar weaknesses to reach sensitive industrial environments. That means the most useful defensive steps are not always exotic. They include patching, segmentation, credential hygiene, alert triage, and fast containment.

For industrial operators, the warning is clear. Unresolved IT compromise is not only an IT problem when those systems can touch OT networks. It can become the bridge into physical operations.

FAQ