A new Nozomi Networks analysis of 5.5 million alerts across 10 industrial organizations in seven countries has delivered the clearest profile yet of how Sandworm operates inside critical infrastructure. The headline number is the one every OT security leader needs to internalize: every infected system showed serious warning signs an average of 43 days before confirmed Sandworm activity began. In some cases, the lead time stretched to 155 days.This is not a story about clever new exploits. It is a story about credentials and footholds that have been sitting in OT environments for months, waiting to be used.
Between July 2025 and January 2026, Nozomi analyzed 5,543,865 alerts from manufacturing and transportation customers across the United States, Mexico, the United Kingdom, Germany, Belgium, Colombia, and Thailand. Of that volume, 1,141,348 alerts (20.6%) originated from ICS-classified assets — engineering workstations, HMIs, PLCs, RTUs, and field controllers. Within that corpus, 29 events were conclusively identified as Sandworm activity, the Russian state-sponsored group also tracked as APT44, Seashell Blizzard, and Voodoo Bear.
Three findings stand out.
Sandworm doesn't burn zero-days. The group is reaching inside OT networks using older, well-documented attack chains: EternalBlue, DoublePulsar, WannaCry, Log4Shell, Cobalt Strike, and various remote access trojans. In the environments where Sandworm achieved the widest lateral movement, Nozomi found existing compromises — credentials, malware, or live command-and-control activity — already present before Sandworm became active. The novel threat is reusing the old breach.
Lateral movement is the playbook. Across the 10 affected organizations, 17 infected machines launched lateral-movement attempts against 923 unique internal systems. One compromised host alone targeted 405 machines. Six hundred and thirty-two systems began generating entirely new alert types after Sandworm made contact, and one infection triggered a 12-fold increase in alert volume. The group doesn't just establish a beachhead, it pivots aggressively toward Purdue Level 1 and 2 systems where physical-world consequences live.
Detection accelerates the attack. This is the finding that should reorder OT incident response priorities. “Without rapid containment, Sandworm does not disengage. It accelerates,” wrote Chris Grove, Nozomi's director of cybersecurity strategy. Most threat actors retreat once they realize defenders have seen them. Sandworm does the opposite, increasing alert volume, broadening its tooling, and shifting focus toward ICS and OT assets specifically to maximize operational disruption before defenders can contain it.
The reason an attacker can sit inside an OT network for an average of 43 days, then escalate at will when detected, comes down to one structural fact: the credentials, certificates, and access tokens that authorize access to engineering workstations, HMIs, and field controllers persist. They are standing privileges. Once compromised, they remain valid until something or someone manually invalidates them.
In IT, the partial answer to this problem has been certificate lifecycle management, with shorter cert lifetimes, automated renewal, revocation lists, and OCSP checks. None of that translates cleanly to OT. PLCs and RTUs typically cannot reach a public CA for renewal. Many cannot even reach an internal one through the air gaps and segmentation that good OT architecture requires. CRL and OCSP checks assume connectivity that OT environments are explicitly designed not to provide. The result is that OT credentials, where they exist at all, tend to live far longer than their IT counterparts, exactly the conditions Sandworm exploits.
This is the gap PKI was never going to fill. PKI assumes connectivity to certificate authorities, infrastructure to manage cert lifecycles, and operational tempo measured in days or weeks. OT environments do not grant any of those assumptions. The 43-day median warning window is not a detection failure. It is the natural consequence of architectures built on persistent, manually managed credentials.
Removing persistent credentials from the equation changes the threat model. If every session is independently authorized by dynamic key material that refreshes per session, and never persists on the device or in a credential store, the credential Sandworm stole 43 days ago is worthless today. The foothold becomes ephemeral. The lateral-movement playbook collapses, because each new authentication needs material the attacker does not have and cannot replay.
This is what Autonomous Key Management™ delivers in OT environments. AKMSecure was built for the conditions PKI cannot meet: air-gapped operation, sub-millisecond handshakes, a footprint small enough to run on constrained field controllers, and a symmetric-key architecture that does not depend on a CA to function. Every session is independently verified, with no standing privileges left behind. There is no certificate to harvest, no shared key to reuse, no token to replay.
The shift this enables for OT security teams is less about catching Sandworm faster and more about making the 43-day window structurally irrelevant. The point is not to detect a stale credential being misused on day 43, it is to ensure no credential survives long enough to be misused on day 2.
Three implications for OT and critical infrastructure operators.
First, treat “commodity” alerts as strategic warning indicators, not noise. EternalBlue and Log4Shell are not legacy threats in environments where the original vulnerabilities went unremediated. Every Sandworm-infected system in Nozomi's dataset generated weeks or months of high-confidence alerts before confirmed activity. The intelligence was there. It was treated as routine.
Second, assume Sandworm — and any actor operating like it — escalates after detection. Incident response plans built on the assumption that attackers retreat under pressure are calibrated to the wrong adversary. Pre-position containment and segmentation playbooks for ICS-adjacent assets before they are needed.
Third, and most structurally, stop relying on credentials an attacker can sit on for 43 days. The architectural answer to a 43-day dwell window is not faster detection. It is credentials that do not last 43 hours.
AKMSecure delivers a patented Autonomous Key Management™ protocol built to replace outdated PKI approaches with a dynamic, quantum-secure, air-gapped-capable architecture. Instead of relying on persistent credentials that can be stolen, reused, or abused, AKM enables independently verified sessions with no standing privileges left behind. The result is a model that better aligns with Zero Trust principles, reduces certificate-based risk, and supports resilient operations across enterprise IT, OT and Tactical Edge environments. Built to NSA-grade security standards and deployable as a lightweight SDK, AKMSecure helps organizations modernize trust at the protocol layer without rebuilding everything around it.