Sandworm Exploits Pre-Compromised OT Environments to Escalate ICS Attacks

Top Highlights

1. Russian state-sponsored group Sandworm continues to target critical infrastructure, especially OT and ICS environments, using older malware and lateral movement techniques, with activity intensifying after detection.
2. Sandworm operates on a structured schedule aligned with Moscow working hours, exploiting pre-compromised networks and escalating operations upon detection, often targeting multiple internal assets simultaneously.
3. Warning signs and alerts typically precede Sandworm activity by around 43 days, highlighting the importance of early detection of known exploit chains and command-and-control communications to prevent operational disruption.
4. The group’s focus on causing physical and operational disruption, particularly in power grids and critical infrastructure, distinguishes Sandworm from other threat actors, emphasizing the need for rapid containment, strong segmentation, and proactive security measures.

The Issue

Sandworm, a Russian state-sponsored cyber threat group, continues to target industrial and critical infrastructure sectors worldwide by exploiting known vulnerabilities in previously compromised environments. Recent research by Nozomi Networks analyzed over 5.5 million alerts from ten industrial organizations across seven countries between July 2025 and January 2026, documenting 29 confirmed Sandworm-related attacks. These attacks predominantly focused on manufacturing and transportation sectors, targeting vital operational technology (OT) assets such as engineering workstations, HMIs, PLCs, and RTUs. Notably, Sandworm employs legacy malware and widely documented exploit chains—like EternalBlue and WannaCry—rather than zero-day vulnerabilities, often capitalizing on existing security gaps.

Furthermore, the group’s operations align with Moscow’s working hours, with activity peaking midweek after lunch, following a structured pattern indicative of centralized command. Importantly, Sandworm escalates its operations following detection, intensifying lateral movement and expanding its footprint across internal systems—sometimes infecting hundreds of devices from a single entry point. This deliberate escalation, especially targeting OT environments, is designed to maximize operational disruption and physical damage. Researchers emphasize that early warning signs, often detected weeks or months before active intrusion, include known malware activity and command-and-control communications. Consequently, Nozomi advocates for rigorous, proactive cybersecurity measures, and underscores that Sandworm’s activity should be regarded as a strategic, geopolitical threat rather than mere cybercrime.

Critical Concerns

The issue where Sandworm exploits pre-compromised operational technology (OT) environments instead of zero-days can severely threaten any business’s operational stability and security. Once detected, attackers leverage existing vulnerabilities within OT networks, bypassing traditional detection methods focused on zero-day exploits. Consequently, this escalates attacks, causing prolonged downtime, costly damages, and compromised safety. Moreover, such tactics enable attackers to deepen their infiltration discreetly, making recovery complex and resource-intensive. All industries relying on industrial control systems (ICS), from manufacturing to utilities, are vulnerable. In essence, if your business relies on OT or ICS, failing to address these persistent, pre-existing vulnerabilities leaves you exposed to devastating consequences.

Possible Action Plan

Quick action is vital to prevent further damage when adversaries like Sandworm leverage pre-compromised operational technology (OT) environments instead of zero-day exploits. Prompt remediation reduces the window of opportunity for escalation, limits the scope of impact, and helps restore secure operations faster, aligning with the principles outlined by the NIST Cybersecurity Framework (CSF).

Containment Measures

• Isolate affected OT systems immediately to prevent lateral movement and further infiltration.
• Disable remote access to compromised environments to reduce interference.

Detection and Analysis

• Conduct thorough forensic analysis to confirm compromise levels and identify indicators of compromise (IOCs).
• Review system logs and network traffic for unusual activity linked to the threat actor.

System Recovery

• Remove malicious artifacts and backdoor access points to eliminate persistent threats.
• Apply security patches and updates to vulnerable systems to close known exposure points.

Access Control

• Enforce strict access controls and implement multi-factor authentication for critical OT components.
• Limit user privileges to essential functions only, reducing the risk of insider or collateral damage.

Patch Management

• Regularly update and patch all OT and ICS devices to mitigate known vulnerabilities exploited by attackers.
• Use secure configurations and baseline standards to maintain system integrity.

Strengthening Security Posture

• Implement continuous monitoring and real-time alerting for early detection of anomalies.
• Conduct security training and awareness programs for personnel managing OT environments.

Communication and Coordination

• Coordinate with industrial control system vendors and cybersecurity authorities for guidance and support.
• Document incident response actions thoroughly to improve future preparedness.

Explore More Security Insights

Explore career growth and education via Careers & Learning, or dive into Compliance essentials.

Access world-class cyber research and guidance from IEEE.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1