Full Report
Russian state-sponsored threat group Sandworm is continuing to target industrial and critical infrastructure environments using aggressive lateral movement,... The post Sandworm uses pre-compromised OT environments instead of zero-days to escalate OT, ICS attacks after detection appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: Sandworm
## Attribution & Identity
* **Actor Name:** Sandworm
* **Aliases/Tracked As:** APT44, Seashell Blizzard, Voodoo Bear.
* **Affiliation:** Russian state-sponsored group (linked to Moscow/Russian intelligence services).
* **Operational Style:** Bureaucratic execution model with centralized tasking, closely aligned with Moscow government working hours.
## Activity Summary
* **Reporting Period:** July 2025 to January 2026.
* **Campaign Scope:** Nozomi Networks identified 29 confirmed Sandworm-related events across 10 industrial organizations in seven countries.
* **Key Finding:** The group is leveraging "pre-compromised" environments rather than zero-days. Warning signs typically appear an average of 43 days before high-intensity Sandworm activity begins.
* **Escalation Pattern:** Unlike many actors who disengage upon detection, Sandworm aggressively escalates operations against OT/ICS systems to maximize disruption once they realize they have been discovered.
## Tactics, Techniques & Procedures
* **Lateral Movement:** Extremely aggressive expansion; a single compromised host was observed targeting over 400 internal systems.
* **Exploitation of Known Vulnerabilities:** Utilization of older, effective attack chains rather than new exploits.
* **Living off the Land (LotL):** Use of legitimate system tools to evade detection.
* **Persistence:** Establishing long-term access weeks or months before the "loud" phase of an attack.
* **Tactical Shift:** Moving from IT environments into deep OT layers (Engineering workstations, PLCs, RTUs).
**MITRE ATT&CK IDs Mentioned/Inferred:**
* **T1210** - Exploitation of Remote Services (EternalBlue/Log4Shell)
* **T1021** - Remote Services (Lateral Movement)
* **T0859** - External Network Boundary (OT-specific targeting)
## Targeting
* **Sectors:** Manufacturing, Transportation, Utilities (Energy/Power/Water), and Critical Infrastructure.
* **Geography:** Global (Operations tracked across seven countries including Europe and the U.S.).
* **Victims:** Engineering workstations, Human Machine Interfaces (HMIs), Programmable Logic Controllers (PLCs), and Remote Terminal Units (RTUs).
## Tools & Infrastructure
* **Malware Families:**
* WannaCry
* DynoWiper (linked to attacks on Poland's power grid)
* **Exploit Frameworks:**
* EternalBlue
* DoublePulsar
* Log4Shell (CVE-2021-44228)
* **Post-Exploitation:**
* Cobalt Strike
* Webshells
## Implications
* **Strategic Reliability:** Sandworm’s shift toward pre-compromised environments suggests a focus on operational efficiency and reliability over the "burnable" nature of zero-days.
* **Threat to Life/Safety:** By escalating after detection, the group poses a severe risk to industrial safety, as they may trigger disruptive ICS commands in a "smash and grab" attempt to cause damage before being evicted.
* **Deterrence Failure:** Standard "detection and response" cycles are challenged by Sandworm’s tendency to accelerate rather than retreat.
## Mitigations
* **Early Detection of "Pre-Cursors":** Focus on identifying older lateral movement tools (EternalBlue, Cobalt Strike) which serve as leading indicators of a Sandworm intrusion.
* **Rapid Containment:** Because the actor accelerates after detection, incident response plans must prioritize immediate isolation of infected segments rather than mere observation.
* **Vulnerability Management:** Prioritize patching legacy vulnerabilities (like Log4Shell) that Sandworm continues to recycle.
* **IT/OT Segmentation:** Harden the boundary between corporate networks and ICS environments to prevent the aggressive lateral movement noted in recent campaigns.