Sandworm Targets Critical Infrastructure with Aggressive OT Attacks

The Sandworm APT has increased operations against critical infrastructure by exploiting pre-compromised OT environments rather than zero-day flaws; Nozomi Networks identified 29 confirmed incidents (Jul 2025–Jan 2026) impacting manufacturing and transportation. The group used legacy malware and older vectors (e.g., EternalBlue, WannaCry), focused on lateral movement to engineering workstations, HMIs, and PLCs, escalated disruption after detection, and operated on schedules aligned with Moscow working hours — underscoring a severe and organized threat to industrial networks.