New research confirms that the Russian state-sponsored threat group Sandworm leverages pre-compromised operational technology (OT) environments - rather than zero-day exploits - to intensify attacks on industrial control systems (ICS) after initial detection, posing heightened risk to manufacturing and critical infrastructure operators worldwide.
According to research published by Nozomi Networks, the group was identified in 29 confirmed intrusion events across 10 industrial organizations in seven countries between July 2025 and January 2026, with targeted sectors spanning manufacturing, transportation, pharmaceuticals, food production, and motor vehicles. The findings reveal a deliberate operational shift that challenges IT-centric defense assumptions and places OT/ICS environments at the center of cross-domain risk.
Background
Sandworm - also tracked as APT44, ELECTRUM, and Seashell Blizzard, and linked to Russia's GRU military intelligence directorate - has a long history of targeting critical infrastructure with destructive intent. The group was responsible for the 2015 and 2016 attacks on Ukrainian electrical infrastructure, the 2017 global NotPetya wiper attack, and the 2018 Olympic Destroyer campaign, according to a 2020 U.S. federal indictment.
The threat landscape has since broadened. ESET researchers attributed a late December 2025 cyberattack on Poland's power grid, which deployed data-wiping malware named DynoWiper, to Sandworm with medium confidence, based on overlaps with prior Sandworm wiper activity. The attack targeted approximately 30 distributed energy sites, including combined heat and power facilities and renewable energy dispatch systems, according to OPSWAT's ICS/OT threat landscape analysis.
Amazon Threat Intelligence separately documented that beginning in 2025, Sandworm activity showed a decline in zero-day and n-day exploitation and a corresponding increase in targeting misconfigured network edge devices, exposed management interfaces, and identity-related weaknesses across energy companies and Western critical infrastructure.
Details
The Nozomi Networks analysis, drawn from 5,543,865 anonymized alerts across organizations in the U.S., Mexico, U.K., Germany, Belgium, Colombia, and Thailand, identified attack patterns with direct implications for OT incident response.
Of total alert volume, 20.6% originated from ICS-classified source assets, including engineering workstations, field controllers, remote terminal units (RTUs), and human-machine interfaces (HMIs). The research found that Sandworm relied primarily on legacy post-exploitation frameworks including EternalBlue, DoublePulsar, WannaCry, Log4Shell, and Cobalt Strike, exploiting already-compromised environments rather than deploying novel attack techniques.
The lateral movement data is particularly significant for OT security architects. One compromised machine was observed targeting 405 internal systems, while infected hosts collectively attempted access against 923 unique internal targets. Critically, every infected system showed warning signs an average of 43 days before confirmed Sandworm activity began - a window that existing monitoring deployments largely failed to act on.
Unlike ransomware groups, Sandworm operates as a state-directed military cyber-sabotage unit focused on disruption and real-world operational impact rather than financial gain, according to the Nozomi report. The research confirms that after detection, Sandworm escalates operations by increasing attack severity, expanding tooling, and shifting focus toward ICS and OT environments to maximize operational disruption - inverting the assumption that detection and containment are synonymous.
Microsoft's threat intelligence team previously documented that a Sandworm subgroup, operating under the BadPilot campaign since at least late 2021, obtained access to targets across energy, oil and gas, telecommunications, shipping, and arms manufacturing sectors spanning more than 15 countries.
Transportation and manufacturing remained the first and second most targeted sectors across all OT/ICS incidents for full-year 2025, with government moving into third place, according to Nozomi Networks' 2H 2025 OT/IoT threat report.
Outlook
The Nozomi findings reinforce growing pressure on industrial security operations centers (SOCs) to integrate OT-specific anomaly detection, asset visibility, and cross-domain telemetry fusion into incident response playbooks. NIST Cybersecurity Framework 2.0, alongside CISA's Cross-Sector Cybersecurity Performance Goals released in December 2025, emphasizes network segmentation, zero-trust principles, and lateral movement mitigation as essential cybersecurity objectives for critical infrastructure operators.
The U.S. OT security market is projected to grow from $4.64 billion in 2025 to $9.37 billion by 2030, at a compound annual growth rate of 15.1%, according to MarketsandMarkets, driven in part by the threat dynamics this research confirms. For plant managers and OT security architects, the 43-day pre-activity warning window documented in the Nozomi data represents an actionable detection gap - one that unified IT/OT monitoring and ICS-specific behavioral analytics are designed to close.
