A new wave of cyber activity linked to the notorious Sandworm group is raising fresh alarms across global critical infrastructure.
Security researchers warn that the Russian state-backed threat actor is no longer just infiltrating IT networks it is actively pivoting into operational technology (OT) environments where real-world disruption becomes possible.
The findings are based on telemetry collected from 10 industrial organizations across seven countries between July 2025 and January 2026.
Researchers identified 29 confirmed Sandworm-related incidents within a dataset of over 5.5 million alerts.
According to a recent analysis by Nozomi Networks, Sandworm (also tracked as APT44, Seashell Blizzard, and Voodoo Bear) is intensifying its focus on industrial control systems (ICS), leveraging already compromised environments to move deeper into critical operations.
While initial access often occurred in IT environments, attackers consistently expanded toward OT systems, including engineering workstations, HMIs, and field controllers such as PLCs and RTUs.
LOTL (Living off the Land) depends on human operators using legitimate tools and access, rather than automated malware.
This shift is significant. Unlike traditional cybercriminals, Sandworm is known for causing physical disruption. Its past operations include the Ukraine power grid attacks and the destructive NotPetya campaign.
Sandworm Hackers Shift From IT Breaches
The analysis reveals several distinct operational traits:
- Activity aligns with Moscow working hours, peaking midweek, suggesting structured and state-directed execution.
- Lateral movement is aggressive, with infected machines targeting hundreds of internal systems.
- Attackers rely heavily on existing compromises rather than new zero-day exploits.
- Each compromised system showed early warning signs for an average of 43 days before escalation.
- Once detected, Sandworm escalates activity instead of retreating, often shifting focus toward OT assets.
For example, in one case, a single infected system attempted lateral movement against 405 internal machines, triggering a 12-fold increase in alerts.
One of the most striking findings is Sandworm’s continued use of older exploit chains like EternalBlue, DoublePulsar, and WannaCry. Rather than developing new tools, the group exploits unpatched systems and lingering infections.
In multiple environments, researchers observed that networks were already compromised with tools like Cobalt Strike and Metasploit before Sandworm activity began. This suggests the group is opportunistic entering environments that are already “soft targets.”
Unlike ransomware groups that often retreat when discovered, Sandworm intensifies its operations. The report highlights a multi-dimensional escalation pattern, including:
- Increased alert volume and diversity.
- Deployment of new tools and techniques.
- Expansion into new network segments and ports.
- Shift toward high-impact tactics mapped to ICS environments.
In several cases, attackers directly targeted hundreds of engineering workstations and dozens of industrial controllers, confirming deliberate intent to disrupt operations.
Sandworm stands apart from other threat actors due to its mission. While ransomware groups seek financial gain and hacktivists pursue visibility, Sandworm operates as a military cyber-sabotage unit linked to Russia’s GRU Unit 74455.
Its campaigns often align with geopolitical events and, in some cases, precede physical military actions. Researchers also noted a slowdown in broader targeting during late 2025, likely due to resource concentration on a suspected power grid attack in Poland.
Perhaps the most critical takeaway is that Sandworm doesn’t rely on sophisticated zero-days. Instead, it exploits known vulnerabilities and ignores alerts.
Every affected system in the study generated weeks or even months of detectable warning signs before the attack escalated.
This means many incidents could have been prevented through basic cybersecurity hygiene: patching known vulnerabilities, investigating “routine” alerts, and limiting lateral movement.
As Sandworm continues to blur the line between cyber operations and physical disruption, organizations managing critical infrastructure face increasing pressure to act early. In this threat landscape, ignoring small alerts can lead to large-scale consequences.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
