Top 5 SAP Cybersecurity Incidents

SAP security used to be a terra incognita with almost no real attacks on SAP systems known to the public. However, times have changed. Several weeks ago, after the US-CERT alert, almost all the media have published a sensational news about potential attacks on SAP systems installed in the largest companies worldwide.

The news was rather shocking and raised many questions, as it turned out that SAP systems can be hacked by attackers, and what is more, it was state-backed Chinese hackers who did so.

Although SAP Security incidents were known since 2012 and experts have been warning about them for the last 10 years, this news stirred up public opinion much more than the previous ones. Even though because of the news a lot of people started to take SAP Security seriously, the situation still requires some clarifications. So, let’s look at the most significant incidents related to SAP Cybersecurity that happened within the last 5 years.

Incident 1. October 30, 2012: Attack via an SAP vulnerability on Greek Ministry of Finance

It was the first attack on SAP systems in the public eye. The Anonymous group claimed to have stolen Greek Ministry of Finance confidential documents and credentials. According to their statement from AnonPaste, the hack was intended to protest the worsening economic situation in Greece. Anonymous posted a compressed filewith passwords and usernames. Anonymous said they had accessed IBM servers and that they obtained an SAP zero-day exploit.

Regardless of the fact that the attack wasn’t approved or denied by the ministry, there is no reason to not believe that it was real. Anyway, this case illustrates that hackers were interested in exploiting SAP systems even 4 years ago.

Incident 2. November 2013: SAP malware

The first precedent of malware targeting SAP is dated 2013. A Trojan program not only targeted online banking accounts but also contained special code to examine if infected workstation had SAP client applications installed, i.e. attackers might target SAP systems in the future.

To intercept important data, the malicious software used a traffic analyzer, a system that monitors web banking activities, and a screengrabber. It was aimed to collect user input from various window forms, to gather certificate files from secure workflow systems, and to send this information to the attackers' server. And in this case, it already had access to the infected workstation and detected that SAP client was installed, which means that the computer had access to the SAP server. The Trojan was capable of making screenshots of logons into the SAP system and collecting critical system data. It also had keylogging functionality to steal passwords input during logon. This information is enough to perform a lot of malicious actions on an SAP server, so this information could be sold to third parties.

Incident 3. January 2014: Attack on NVidia

In January 2014, NVidia customer service website was probably attacked. The finder of the vulnerability that allows the attack, who was from China and called himself Finger, claimed he notified NVidia about the issue on November 21, 2013. In fact, on January 5, 2014, information about vulnerability was posted on a Chinese vulnerability forum, The issue is marked as “unable to contact the vendor or actively neglected by the vendor”. The NetWeaver vulnerability had been closed by SAP 3 years before the incident, but NVidia never implemented the patch. On January 8, 2014, NVidia took the customer service website offline for two weeks for investigation.

NVidia is not an exception. Many SAP administrators don’t implement SAP Security Notes (security patches released by SAP), as patching may seem arcane.

Within 3 years when the attack could happen, SAP released more than 3500 Security Notes to close SAP vulnerabilities. Most can only be exploited if one has access to the corporate network, but some attacks can be conducted from the Internet. If a company uses web-based modules such as Portal or CRM, it’s recommended to update them in time.

Incident 4. May 2015: attack on USIS via an SAP vulnerability

On May 11, all security media exploded with a news about an attack on USIS, a federal contractor that conducts background checks for DHS. The hack was potentially carried out by China-sponsored hackers. The breach dates back to 2013, when hackers broke into USIS by exploiting an SAP system managed by a third party.

As a result of the incident, more than 27,000 personnel may have been compromised. USIS lost the contract with OPM, cut 2500 jobs, and the owner of USIS filed for bankruptcy. For more details go to CHINESE ATTACK ON USIS EXPLOITING SAP VULNERABILITY: DETAILED REVIEW AND COMMENTS” report.

Why can such attacks occur? To automate business processes, different modules have to be interconnected. ERPScan’s research revealed that the average number of connections in SAP systems is about 50, and 30% of them usually store credentials. Once attackers break into the weakest SAP module, they can easily get access to connected systems and from them to other ones and even to other organizations’ systems.

Incident 5. May 2016: US-CERT Alert about attacks on 36 SAP systems

On May 11, 2016, the Department of Homeland Security published the first-ever US-CERT Alert for Cybersecurity of SAP business applications. As it was stated, attackers used an invoker servlet vulnerability in SAP Application server to penetrate into 36 multinationals in 2013 – 2016. The exploitation of this vulnerability may provide remote unauthenticated cybercriminals with full access to affected SAP systems.

The news was based on the information from Chinese forums where researchers shared details about public systems which have vulnerabilities. Therefore, it is not a certain fact that all the vulnerable systems are examples of real cyberattacks, but an indirect evidence proves that such attacks can be performed remotely. E.g., one of our Network sensors of global threat intelligence platform has recently (dd 12/4/2016, 14:19-14:20) identified the attack attempt exploiting the similar kind of issue, but it was the only example against one sensor.

The matter here is not only the verified fact of the attacks but the number of systems susceptible to this issue. In addition to 36 systems stated in the US-CERT report, we revealed that approximately 533 systems worldwide which are potentially vulnerable to one of Invoker servlet vulnerabilities. Taking into account that most of them are Fortune 2000 companies, it’s quite a critical issue to discuss. For those who want to know more about the attack please look at the “Was it a real cyberattack on SAP using invoker servlet” article.


Even the topic of SAP security incidents only (not speaking about SAP cybersecurity in general) is too large to be covered in one article. So, the aim was not to provide an exhaustive review on SAP cybersecurity incidents. In terms of practice, the essential part is 3 takeaways for CISOs how to keep SAP applications as secure as possible:

  • When it comes to advanced cyberattacks, you can’t rely only on traditional security solutions.
  • You can’t be sure that SAP Applications are secure unless you really monitor it from all angles: Vulnerability Assessment, Custom code security, SoD - every area should be on the radar.
  • Most important for business applications is that they are highly interconnected, and it’s not only the problem of the infrastructure security but of all your external connections and its secure configuration, as well as 3rd party security.

And finally, remember a system is only as secure as its weakest link.

Join the CSO newsletter!

Error: Please check your email address.

Tags hackerscybersecurityUS-CERTSAP securitynvidiaSAP systemransomwaremalware

More about Custom

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Alexander Polyakov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts