Russian state-sponsored threat group Sandworm is continuing to target industrial and critical infrastructure environments using aggressive lateral movement, legacy malware, and escalation tactics that intensify after detection, according to research from Nozomi Networks. The company analyzed more than 5.5 million alerts collected from 10 industrial organizations across seven countries between July 2025 and January 2026, identifying 29 confirmed Sandworm-related events. The affected sectors included manufacturing and transportation, with attacks targeting engineering workstations, HMIs (human machine interfaces), PLCs, RTUs, and other ICS (industrial control system) assets.
Researchers found that Sandworm activity aligned closely with Moscow government working hours and followed what appeared to be a structured operational rhythm consistent with centralized tasking. They also found that every infected system generated warning signs weeks or even months before Sandworm activity began, with an average lead time of 43 days.
Rather than relying on zero-day exploits, the group frequently exploited already compromised environments using older attack chains such as EternalBlue, DoublePulsar, WannaCry, Log4Shell, Cobalt Strike, and other post-exploitation frameworks. Once inside a network, Sandworm aggressively expanded laterally, with one compromised machine targeting 405 internal systems and infected hosts collectively attempting movement against 923 unique internal targets. The report further warned that Sandworm escalates operations after detection instead of disengaging, often increasing activity against OT (operational technology) and ICS systems to maximize operational disruption.
“Without rapid containment, Sandworm does not disengage. It accelerates,” Chris Grove, Nozomi’s director for cyber security strategy and product manager, wrote in a Wednesday blog post. “Recent geopolitical events involving publicly disclosed attacks against national critical infrastructure across Europe and the U.S. have once again drawn attention to a highly disruptive threat actor known as Sandworm, the Russian state-sponsored group also tracked as APT44, Seashell Blizzard, and Voodoo Bear.”
Grove added that by studying environments where Sandworm activity has been positively identified, “we can extract lessons that help future victims detect intrusions earlier, recover more effectively, and — most importantly — prevent Sandworm-related incidents altogether.”
Nozomi collects and analyzes threat intelligence from multiple sources, including customer and partner engagements, curated third-party intelligence feeds, honeypot research, anonymized customer telemetry, and insights from its internal threat research team. The findings in the report are based on intelligence gathered across all of these sources.
Researchers found that Sandworm activity closely aligns with Moscow office hours and follows what appears to be a bureaucratic execution model, with operational activity peaking midweek after lunch. Lateral movement also remains a central component of Sandworm operations, with infected machines generating thousands of lateral movement alerts across networks.
Nozomi found that Sandworm activity closely aligns with standard Russian government working hours, with operations peaking midweek and during post-lunch business hours, particularly around Wednesday afternoons in Moscow. Researchers said the pattern suggests a structured and centrally directed operational model rather than opportunistic or freelance activity. During the same period as the reported Polish power grid attack, Sandworm activity against new victims slowed significantly, with the pace of new victim acquisition dropping from one every 11.4 days to one every 24.7 days, indicating a temporary shift in operational focus and resources toward the grid operation.
The report identified lateral movement as a defining characteristic of Sandworm operations. Across 10 affected organizations, 17 infected machines attempted lateral movement against 923 internal systems. In one case, a single compromised host targeted 405 machines, while 632 systems began generating entirely new alert types after contact. One infection also triggered a 12-fold increase in alert volume, highlighting the group’s emphasis on rapid internal expansion after gaining an initial foothold.
Researchers also found that Sandworm continues to rely heavily on older but highly effective malware and exploit chains, including EternalBlue, DoublePulsar, WannaCry, Log4Shell, Cobalt Strike, Metasploit, and remote access trojans. In many cases, the environments targeted by Sandworm were already compromised before the group became active. Victims experiencing the widest lateral movement had preexisting infections or active command-and-control activity, allowing Sandworm to capitalize on weakly defended networks rather than deploy novel zero-day exploits.
One of the report’s most significant findings was that every infected system generated warning signs between 20 and 155 days before confirmed Sandworm activity, with an average warning window of 43 days. The alerts included known exploit chains, active command-and-control communications, and malware activity that could likely have been detected and remediated before Sandworm established operational footholds.
Researchers emphasized that these were not stealthy attacks using unknown vulnerabilities, but widely documented techniques that had gone unaddressed.
The study also found that Sandworm consistently escalated operations after detection rather than retreating. Activity intensified through increased alert volumes, broader attack surfaces, deployment of additional malware tools, and expanded lateral movement across networks.
The group also shifted attention toward ICS and OT assets, including engineering workstations, HMIs, PLCs, RTUs, field controllers, and other Purdue Level 1 and Level 2 systems. Most affected organizations experienced escalation across multiple dimensions simultaneously, reinforcing the assessment that Sandworm operations are designed to maximize operational disruption once defenders become aware of the intrusion.
The report further found that Sandworm continues to rely on older but highly destructive malware, enabling the group to exploit already compromised environments instead of depending on novel attack techniques. Researchers said every infected system showed serious warning signs weeks or even months in advance, with an average lead time of 43 days before confirmed activity. The study also noted that Sandworm tends to escalate operations after detection by increasing attack severity, expanding tooling, and shifting focus toward ICS and OT environments to maximize operational impact.
Grove detailed that Nozomi’s analysis examined a focused subset of anonymized telemetry consisting of 5,543,865 alerts collected from 10 industrial customers across seven countries, including the U.S, Mexico, the U.K., Germany, Belgium, Colombia, and Thailand, spanning July 2025 through January 2026.
“These organizations operate in the manufacturing and transportation sectors, including pharmaceuticals, food production, motor vehicles, computer equipment and textiles,” he wrote. “This data directly correlates to what is detailed in our 2025 2H OT/IoT threat report. The anonymized telemetry contains detailed network metadata including source and destination IPs, ports, protocols, threat classifications and (where applicable) MITRE ATT&CK for ICS mappings, including ICS asset types and Purdue Model levels.”
He further pointed out that of the total alert volume, 1,141,348 alerts (20.6%) originated from ICS classified source assets, spanning engineering workstations, field controllers (RTUs, PLCs, IEDs), and HMIs. “Within this corpus, 29 events were conclusively identified as Sandworm activity using signature-based detections, including YARA rules and validated threat intelligence indicators. Within the dataset we sliced, the earliest detection we observed occurred on August 13, 2025, with the last on January 14, 2026. However, it’s important to note that detections have happened before and after the dataset we’re focused on for this exercise.”
The post detailed that Sandworm differs significantly from ransomware groups and hacktivists in mission and operational behavior. While ransomware actors are primarily financially motivated and hacktivists are often driven by ideology or publicity, Sandworm operates as a state-directed military cyber-sabotage unit focused on disruption and real-world operational impact rather than profit or long-term espionage.
The group also differs in target selection. Ransomware operators typically prioritize IT environments that provide the greatest leverage for extortion payments, while hacktivists often focus on public-facing websites or symbolic targets. Sandworm, by contrast, deliberately targets government organizations and critical infrastructure, including ICS and OT environments.
Researchers noted that Sandworm has repeatedly demonstrated a willingness to cause physical disruption through operations involving power grid attacks and destructive wiper malware. Most other threat actors, even destructive ones, generally avoid actions that could lead to physical damage or safety consequences.
The report further found that Sandworm activity closely aligns with Russian government working hours and follows a structured, bureaucratic execution model that suggests centralized oversight and tasking. Criminal and hacktivist operations are typically more opportunistic and less coordinated.
Unlike many ransomware groups that reduce activity or withdraw after detection, Sandworm tends to escalate operations once discovered by expanding activity, increasing severity, and shifting focus toward ICS and OT systems. Researchers also observed that the group frequently exploits environments that are already compromised, taking advantage of unremediated vulnerabilities and longstanding security gaps rather than relying primarily on zero-day exploits.
The report concluded that Sandworm represents a distinct category of cyber threat because it combines state sponsorship, deliberate ICS targeting, and demonstrated willingness to cause operational and physical disruption. As a result, its activity is often treated as a strategic warning indicator rather than a conventional cybercrime issue.
“In sum, Sandworm is an advanced persistent threat that warrants close monitoring, as its cyber activity has historically preceded real‑world military or geopolitical actions,” Grove wrote. “This threat differs from ransomware groups or hacktivists in that it deliberately targets industrial control systems and conducts operations intended to cause physical and operational disruption.”
Nozomi urged organizations to treat ‘commodity’ alerts such as EternalBlue, Cobalt Strike, remote access trojans, and Log4Shell exploitation as strategic warning indicators rather than routine noise. Researchers found that every Sandworm-infected system generated weeks or months of high-confidence alerts before confirmed activity occurred. The report recommended prioritizing investigation and remediation of known exploit chains and active command-and-control activity because unresolved compromises can later become entry points for state-sponsored actors, not just ransomware operators.
The report also emphasized the importance of strengthening environments before Sandworm gains access. Researchers found the group consistently exploited pre-compromised networks rather than relying heavily on zero-day vulnerabilities. Organizations were advised to focus on baseline cyber hygiene measures, including risk-based vulnerability management, credential protection, removal of exposed administrative services, and elimination of legacy protocols. The report stressed that previously identified compromises must be fully remediated rather than merely contained.
Researchers further warned that Sandworm aggressively relies on lateral movement once inside a network, with infected systems often targeting hundreds of internal assets. Organizations were advised to closely monitor abnormal internal scanning, authentication attempts, and service enumeration activity while enforcing strong segmentation between IT and OT environments. The report noted that any system conducting large-scale lateral movement should be treated as a high-severity incident regardless of the malware family involved because early containment can limit Sandworm’s ability to pivot toward ICS systems.
The study also highlighted the need to prioritize protection of ICS-adjacent assets such as engineering workstations, HMIs, and field controllers, which Sandworm deliberately targeted during operations. Researchers recommended heightened monitoring and stricter access controls for engineering and ICS management systems while ensuring they are not used for general IT tasks or internet browsing. The report cautioned that compromises involving these systems should be treated as potential precursors to physical disruption.
Finally, Nozomi warned organizations not to expect Sandworm to retreat after detection. Instead, the group consistently escalates activity by increasing attack severity, expanding tooling, and shifting focus toward OT systems. Researchers recommended incident response plans that assume post-detection escalation and stressed the importance of rapid containment and isolation measures, especially for systems connected to operational environments.
The report also advised organizations to align defensive readiness with geopolitical developments involving Russia and critical infrastructure, noting that Sandworm activity often serves as a broader strategic warning indicator rather than an isolated cyber incident.
