Sandworm Hackers Pivot to Critical OT Assets

Sandworm Hackers Pivot From IT Systems to Critical OT Assets

Sandworm hackers pivot from compromised IT systems toward critical OT assets, exposing vulnerabilities in industrial control networks. This calculated shift has raised concerns across industries that rely on operational technology (OT) to manage physical infrastructure.

Understanding Sandworm’s Tactics and Campaigns

Sandworm, a Russian state-sponsored group also known as APT44, Seashell Blizzard, and Voodoo Bear, has a destructive history. The group is linked to attacks on Ukraine’s power grid and the infamous NotPetya malware outbreak. Unlike financially motivated cybercriminals, Sandworm’s goal is disruption and physical damage.

Leveraging Unresolved IT Compromises

Recent research from Nozomi Networks shows Sandworm leveraging unresolved IT compromises to infiltrate OT environments. Their campaign did not depend on novel exploits. Instead, they used tools like EternalBlue, DoublePulsar, and WannaCry, which have been known and patchable for years. Sandworm exploited these vulnerabilities, originally left open by other attackers, to gain a foothold in IT systems and pivot toward OT assets.

Scale and Aggression of the Attacks

The analysis identified 29 Sandworm events across seven countries, revealing a threat actor that moves methodically and scales aggressively. Once inside a network, Sandworm did not remain silent. Seventeen infected machines launched lateral movement attacks against 923 unique internal targets. In one case, a single compromised host attacked 405 internal systems, causing a 12-fold spike in alert volume.

• 29 Sandworm events tracked

• Attacks spanned seven countries

• 17 infected machines targeted 923 internal systems

• Known exploits like EternalBlue and WannaCry used

Targeting Industrial Control Systems: Why It Matters

Sandworm’s pivot toward critical OT assets is significant because these systems manage physical equipment in factories, power plants, and transportation networks. The group’s targets were not random. They focused on engineering workstations, human machine interfaces (HMIs), field controllers, remote terminal units (RTUs), programmable logic controllers (PLCs), and intelligent electronic devices (IEDs).

Potential Consequences for Organisations

OT assets are essential for the safe operation of industrial environments. Compromising these systems can lead to:

• Disruption of essential services (e.g., electricity, water, transport)

• Damage to physical equipment

• Safety risks for employees and the public

• Reputational and financial losses

In one victim site, 286 engineering workstations were targeted. Another site saw 95 HMIs in the crosshairs. These attacks demonstrate Sandworm’s intent to cause widespread disruption by targeting the backbone of industrial operations.

Lessons for Organisations: Prevention and Response Strategies

What makes this campaign especially troubling is how preventable much of it was. Every infected system had generated weeks or months of high-confidence security alerts before Sandworm arrived. On average, compromised systems sent warning signals for 43 days. Yet, these noisy intrusions went uninvestigated, giving attackers time to escalate their activities.

Strengthening Defences Against IT-to-OT Threats

• Patch Management: Ensure all systems are regularly updated, especially against well-known exploits like EternalBlue and WannaCry.

• Segmentation: Separate IT and OT networks to limit lateral movement and protect critical assets.

• Monitoring and Response: Investigate security alerts promptly, focusing on unusual activity in both IT and OT environments.

• Incident Response Planning: Develop and practise incident response plans that include scenarios involving IT-to-OT pivots.

• Access Controls: Limit user privileges and secure remote access to OT systems.

Educating Staff and Building Awareness

Employees should be trained to recognise suspicious activity and understand the importance of reporting anomalies. OT engineers and IT teams must collaborate, sharing knowledge and insights to strengthen overall security posture. Security awareness programmes can play a vital role in preventing overlooked vulnerabilities.

Key Takeaways for Professionals

• Sandworm hackers pivot from compromised IT systems toward critical OT assets, exploiting unresolved vulnerabilities.

• The campaign used old, well-known exploits, emphasising the importance of patching and monitoring.

• Industrial control systems are prime targets, with attacks capable of causing physical and operational disruption.

• Prompt investigation of security alerts and network segmentation are vital for preventing IT-to-OT pivots.

Organisations should treat security alerts with urgency and ensure their defences are robust across both IT and OT environments. The Sandworm campaign serves as a reminder that routine vulnerabilities can have far-reaching consequences if left unaddressed.

Originally reported by Inoreader: Cyber Attacks.