Chinese government-backed hackers, known as “Typhoon” groups, launched a big cyberattack on SAP systems using a new flaw in early 2025. They broke into at least 580 SAP servers around the world, sneaking in with dangerous tools and hiding their tracks. These hackers targeted big companies and even governments, aiming not just to steal but to spy and disrupt. The attack caused chaos—making systems slow and unreliable, leaving businesses worried and scrambling to recover. This wasn’t a quick hit for money, but a patient, sneaky operation that left a lingering sense of danger across the digital world.
What happened in the recent Chinese state-sponsored cyberattacks on SAP systems?
Shadows over the SAP Landscape
If you’d told me six months ago that SAP’s NetWeaver Visual Composer would become the epicenter of a global cyber maelstrom, I’d have smirked, sipped my lukewarm coffee, and muttered, “Да ну, не может быть.” Yet, here I am, tracing the jagged fault lines of a rapidly expanding cyberattack that — like a persistent foghorn in a data center at 3 a.m. — refuses to be ignored.
This isn’t just another security flare-up. Since early 2025, a coordinated campaign has targeted SAP systems worldwide, with industry detectives like EclecticIQ and Forescout connecting the digital breadcrumbs straight to Chinese state-aligned actors. The numbers are sobering: at least 581 SAP NetWeaver instances have been compromised (blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures). I’d call that a tsunami, not a ripple. SAP S/4HANA shops, financial stalwarts, and even a few government enclaves are in the blast radius.
Just last week, I received a frantic ping from a former colleague at a logistics firm, describing a system behaving like an old engine coughing up smoke: sluggish, inexplicably erratic, and noisy in all the wrong places. Turns out, they were already part of the statistics. Oof, the anxiety in their voice was palpable.
Anatomy of a Breach: Zero-Days and Living-Off-the-Land
Let’s slice open the technical palimpsest. The attackers zeroed in on a freshly unearthed vulnerability — CVE-2025-31324 — in SAP’s NetWeaver Visual Composer. Through this backdoor, any unauthenticated miscreant could upload files and spin up remote code execution. It’s like giving a stranger the master keys to your data warehouse, then hoping they just want to sightsee.
Security analysts traced at least 787 IP addresses to the attackers’ infrastructure, much of it obfuscated behind Cloudflare-like SSL certificates and Chinese hyperscalers. And the tools? This motley crew brought along SuperShell (a backdoor), Cobalt Strike, and SoftEther VPN — a lineage of software both revered and feared in the red-team underworld. Techniques like living-off-the-land (using legitimate SAP tools for ill ends) let them blend into the system’s hum, the way a counterfeit note hides in a stack of rubles.
The attackers didn’t stop there. They brute-forced privileged SAP accounts and exploited garden-variety misconfigurations. And, in a plot twist worthy of Dostoevsky, public exploits appeared mere days after SAP shipped a patch (Futurum Group). Blink, and you might miss the window.
The Typhoon Connection: Old Names, New Tricks
Why does this smell so familiar? Well, experts have pegged the operation to “Typhoon”-themed APTs: UNC5221, UNC5174, CL-STA-0048, and a newcomer, Chaya_004 (Forescout). The tactics echo old hands — Salt Typhoon, famous for their espionage tenacity, and Volt Typhoon, whose penchant for pre-positioning inside U.S. infrastructure reads like a slow-burning Cold War thriller (War on the Rocks).
Here’s the point: this isn’t some kid in a basement. These are operators who treat patience like a fine Pu-erh — cultivated, aged, and sipped quietly while waiting for the opportune moment. I had to stop and ask myself: Have I ever underestimated the staying power of state-backed campaigns? Regrettably, yes — back in 2022, I assumed a breach was just ransomware. Lesson learned; always check for the long game.
Consequences and the Human Cost
The fallout is as textured as a sandpapered server rack. Businesses — from manufacturing to finance to government — face more than just data loss. There’s operational disruption, regulatory headaches, and the gnawing ache of lost trust. Partners like Customertimes now have to reassure clients that their SAP ecosystems aren’t leaky rowboats in a storm.
What stings most? The realization that these breaches aren’t always about quick cash. State-aligned actors aim for persistence — to surveil, sabotage, or simply hold a Sword of Damocles over critical systems. It’s espionage with the slow-burn aroma of geopolitics, not the acrid stench of ransomware panic.
One morning, as I scrolled through logs over my third espresso, I caught the faintest whiff of ozone — that electric, pre-storm tang — and realized that these incidents aren’t easily contained. They linger, like a ghost in the machine. Frustration? You bet. But also a weird, grim admiration for the adversary’s craft.
Shoring Up Defenses: What Now?
SAP, for its part, has deployed emergency patches and blared advisories urging everyone to patch now and audit yesterday (Cybersecurity Dive).