Tag: Sandworm

Every Sandworm-infected industrial system in a new study gave defenders an average of 43 days of advance warning. None of them were investigated.

That’s the central finding from Nozomi Networks’ deep analysis of Sandworm activity across 10 industrial customers in seven countries — the first quantitative study of how Russia’s most destructive cyber-sabotage unit operates inside OT environments. Published May 13, 2026, the research draws on 5.5 million alerts from manufacturing and transportation organizations in the U.S., Mexico, U.K., Germany, Belgium, Colombia, and Thailand, spanning July 2025 through January 2026.

The results challenge a common assumption about advanced persistent threats: that state-sponsored actors use sophisticated, novel techniques to breach their targets. Sandworm does not. It moves into environments that are already compromised — and then it escalates.

What Happened

Nozomi Networks analyzed anonymized telemetry consisting of 5,543,865 alerts collected from 10 industrial customers across seven countries. These organizations operate in the manufacturing and transportation sectors, including pharmaceuticals, food production, motor vehicles, computer equipment, and textiles.

Of the total alert volume, 1,141,348 alerts (20.6%) originated from ICS-classified source assets — engineering workstations, field controllers (RTUs, PLCs, IEDs), and human-machine interfaces. Within this corpus, 29 events were conclusively identified as Sandworm activity using signature-based detections, including YARA rules and validated threat intelligence indicators.

The 17 Sandworm-infected machines identified across the 10 customers conducted lateral movement against 923 unique internal targets. In the most extreme case, a single infected system attempted lateral movement against 405 internal targets. One infection event triggered a 12-fold increase in alert volume.

Technical Breakdown

Pre-Existing Compromise as a Launch Pad

The pattern was consistent across all victims: systems compromised by Sandworm were already heavily infected before Sandworm activity began.

• Three victims with the widest lateral movement already showed active EternalBlue → DoublePulsar → WannaCry exploit chains
• Four victims had ongoing command-and-control activity using Cobalt Strike, Metasploit, and other Remote Access Trojans
• Three victims experienced a second wave leveraging Log4Shell as the initial access vector

Sandworm did not need novel exploits. It simply capitalized on environments that were already “owned.”

Bureaucratic Execution Model

Activity strongly correlates with standard Russian government working hours, peaking midweek (Wednesday at approximately 2:00 PM Moscow time) and following a predictable pattern: Monday tasking stabilization, Tuesday coordination, Wednesday execution begins in earnest, Thursday–Friday reporting and cleanup.

During the timeline overlapping with the attributed Polish power grid attack, Sandworm’s acquisition rate of new victims decreased by approximately 2.2x — averaging one new victim every 24.7 days versus the prior pace of one every 11.4 days — suggesting resource reallocation toward that operation.

Post-Detection Escalation

In every affected environment, Sandworm activity intensified after detection across multiple dimensions simultaneously:

Escalation Dimension	Observed Behavior
Alert Volume	Daily alert rate increased post-detection
Alert Type Variety	More distinct alert categories fired
Threat Diversity	New malware and threat identifiers deployed
New Attack Types	Previously unseen alert types appeared
Target Expansion	More unique destination IPs contacted
Port Expansion	More destination ports probed
MITRE Danger Shift	Tactics shifted toward Impact and Inhibit Response

Most victims experienced escalation across 4–6 out of 7 dimensions simultaneously, indicating coordinated post-detection adaptation.

Who Is Affected

Any organization running industrial control systems, particularly in manufacturing and transportation. The study documented victims in:

• Sectors: Pharmaceuticals, food production, motor vehicles, computer equipment, textiles, transportation
• Countries: United States, Mexico, United Kingdom, Germany, Belgium, Colombia, Thailand
• At risk: Any facility with unresolved EternalBlue, Log4Shell, or active C2 frameworks in their environment

Why This Matters

Sandworm Is Not a Conventional Threat

Sandworm stands apart from all other threat actors because it combines three characteristics no other group shares simultaneously:

1. State-directed military mission focused on disruption and physical impact (not profit or espionage)
2. Deliberate ICS targeting — it doesn’t stop at IT; it specifically pursues PLCs, HMIs, and engineering workstations
3. Post-detection escalation — rather than retreating when discovered, it accelerates

History of Destructive Impact

Year	Operation	Impact
Dec 2015	BlackEnergy	First cyber-induced blackout — 230,000 customers affected
Dec 2016	Industroyer / CRASHOVERRIDE	Second Ukrainian power grid attack using purpose-built OT malware
Jun 2017	NotPetya	Destructive wiper — billions in global damages
Apr 2022	Industroyer2	Attempted power disruption during Ukraine war
2025	Ongoing campaigns	Ukrainian energy/water targets + attributed Polish grid attacks

The 43-Day Warning Window

MITRE ATT&CK for ICS Mapping

Tactic	Technique	Sandworm Application
Initial Access	T0866 — Exploitation of Remote Services	Leveraged pre-existing EternalBlue and Log4Shell compromises
Execution	T0871 — Execution through API	Cobalt Strike and Metasploit beacons for command execution
Lateral Movement	T0886 — Remote Services	Aggressive scanning of 923 internal targets from 17 machines
Discovery	T0846 — Remote System Discovery	Port expansion and service enumeration post-detection
Collection	T0802 — Automated Collection	Systematic targeting of engineering workstations
Inhibit Response	T0816 — Device Restart/Shutdown	MITRE danger score shifted toward Inhibit Response post-detection
Impact	T0882 — Theft of Operational Information	Targeting HMIs and field controllers for process data

Defensive Recommendations

Immediate (0–30 days)

1. Audit for commodity compromises NOW: Search for active EternalBlue, DoublePulsar, WannaCry, Log4Shell, Cobalt Strike, and Metasploit indicators across IT and OT networks. Any finding is a potential Sandworm launch pad.
2. Investigate “routine” alerts: Stop treating known exploit chain alerts as noise. Every Sandworm victim had weeks of advance warnings that were ignored.
3. Isolate compromised systems immediately: Do not attempt partial remediation. Sandworm adapts to incomplete containment.

Short-Term (30–90 days)

4. Enforce IT/OT segmentation: Validate that lateral movement from IT to OT is blocked at the network level. Sandworm’s primary tactic is internal expansion.
5. Harden engineering workstations: These are Sandworm’s primary OT targets. Remove them from general-purpose IT tasks, disable internet access, and apply heightened monitoring.
6. Deploy OT network monitoring: Detect abnormal internal scanning, unusual authentication attempts, and service enumeration against ICS assets.

Long-Term (90+ days)

7. Implement credential hygiene: Rotate credentials aggressively. Sandworm leverages existing compromises, meaning stolen credentials persist across remediation attempts.
8. Prepare for post-detection escalation: Update incident response playbooks to assume the attacker will accelerate — not retreat — after discovery. Plan for rapid isolation of OT-adjacent systems.
9. Align to geopolitical risk cycles: Increase monitoring during periods of heightened geopolitical tension involving Russia. Sandworm activity historically precedes kinetic military operations.

IndustrialSecOps Analyst Assessment

---

Sources: Nozomi Networks, “Sandworm Activity in Industrial Environments: What the Data Reveals” (May 13, 2026); Industrial Cyber, “Sandworm uses pre-compromised OT environments instead of zero-days to escalate OT, ICS attacks after detection” (May 14, 2026); Mandiant, APT44 designation (April 2024)