Why and how hackers consistently target SAP systems

Jan. 20, 2023
Businesses must accept the possibility of attacks at any time and from any angle

The internet is flooded with accounts of businesses that have experienced outages or data theft due to cyber-attacks. Often, it needs to be clarified if and how much SAP systems were impacted. However, it is essential to remember that SAP ERP application systems are a target for attackers since they contain personal information such as credit card numbers, payment information, and much more. Therefore, it is safe to presume that the stolen data came from enterprise-critical SAP applications when an attack targets SAP clients. It is generally not publicly disclosed when a specific company has suffered from a cyber incident involving the infiltration of its SAP application. This would be due to the sensitive nature of such incidents and the potential damage to a company's reputation and financial performance if they were to be made public. It’s a pity that not all SAP attacks are transparently disclosed. Several publicly disclosed SAP cyberattacks:

●    Greek Finance Ministry - In October 2012, one of the earliest recorded hacks on SAP systems took place. The hacker collectively anonymously released private documents and login information from the Greek Finance Ministry. Although reports indicated that the data source was SAP, indicating the hackers' interest in SAP, it is only partially evident from the public material how they managed to breach the SAP systems.

●     NVIDIA - NVIDIA's customer support website was a target of cyberattacks in January 2014 due to the corporation failing to apply a patch made available three years earlier. As a result, the website for customer support was taken offline for two weeks. Although the hack did not cause a data leak, the Customer Care Portal's outage cost NVIDIA some credibility.

●     USIS (US Investigation Services) - On May 11, 2015, news broke of a compromise by Chinese hackers made possible by a flaw in SAP software. An internal USIS probe found that a software flaw from an IT company, SAP, which was used to manage several back-office functions like human resources, allowed cybercriminals access to the business.

How Are Hackers Entering SAP Systems?

Most organizations adhere to strict security standards like ISO, BSI, NIST, etc., but these standards only provide a framework for creating security within an SAP system. It's a prevalent misconception that these standards cover SAP security governance entirely because SAP is just an information-processing system. Most standard measures need to manage the complexity of SAP systems fully; not covering these areas has significant ramifications. Although a business may adhere to information security guidelines and fulfill the primary conditions for most systems, SAP environments are managed solely by the SAP Basis team, which creates a risky and isolated operational silo.

Hackers know there is a backdoor into SAP where they can exploit the application layer by introducing malicious files. This attack vector is in the application’s critical path and involves attaching supporting documents to transactions—a common requirement in business processes backed by SAP applications.

Many SAP clients mistakenly believe that the Endpoint Detection and Response (EDR) software installed at the OS layer will safeguard the SAP applications. However, this is not necessarily true, even if all endpoints have EDR software installed. Attackers may still be able to upload files into SAP applications in a way that circumvents these OS-level security measures, posing a severe risk to internal and external users. Such uploads also jeopardize the SAP application's security, integrity, and vital data it stores and processes. Additionally, some SAP customers entirely avoid installing any EDR or anti-malware software at the OS Layer of the SAP system. A traditional anti-malware solution cannot detect or stop any of these threats since, by definition, they are not malware. Instead, they are viewed as valid document characteristics that are exceedingly risky when applied to mission-critical applications—making the situation worse.

Organizations must consider all risk perspectives, security definitions, and appropriate methods to provide comprehensive SAP security protection. If only one of these areas is considered and implemented, the company will not be adequately protected or have clear best-practice operational rules. Unfortunately, the reality is that there is a gap between a company's high-level SAP framework standards and the actual SAP security settings required to protect an organization in terms of implementation and monitoring. This can occur for various reasons, including a lack of resources or expertise, a lack of awareness about the importance of SAP security, or a lack of understanding about how to properly configure and maintain SAP security settings. Organizations must prioritize implementing and monitoring appropriate SAP security measures to protect themselves and their stakeholders from potential threats and vulnerabilities.

Who Are SAP Cyber Attackers?

Malicious programmers are portrayed as cyber attackers who try to penetrate your primary system. However, knowing the structure of SAP systems makes it clear that this definition needs to be revised. In addition to using the network (the internet), cybercriminals also use extortion, bribery and social engineering techniques. These attackers covertly enter the targeted organization's SAP environment using various tools, often known as Tactics, Techniques, and Procedures (TTP).

SAP cyber attackers take on a variety of personas depending on their objectives and assault strategy. In our research, we broadly categorized the following types:

  1. Script Kiddies – Script Kiddies are amateurs who study online and use tools to break a system. Since SAP is a complicated environment without many comprehensive help pages, these newcomers are harmless and do not seriously disrupt SAP systems. However, even though there are more public ready-to-use SAP exploits, the entry barrier for Script Kiddies is still relatively high. Script Kiddies love a challenge and look for the thrill that comes with it; they might get experience and become professional hackers over time.
  2. Cybercriminals – These attackers, who can be a single person or a gang, seek access to the victim's private data. Typically, they take over the SAP system to access data they can sell for money.
  3. Hacktivists – For example, recall the Greek Finance Ministry's SAP breach, where hacktivists conducted nefarious and dishonest acts to advance a political objective. Digital disobedience conducted for a cause is known as hacktivism. They don't want financial gain; they fight for justice. However, sometimes they work together with bad-actor insiders to reveal private information.
  4. Nation-State Hackers – These attackers work for or on behalf of a government to compromise important businesses that manage vital societal infrastructure, like power grids. They want to steal confidential information, harm rival facilities, or start an international incident. They try to destroy all evidence while employing highly skilled attack strategies against their adversaries. Some of these attackers are patriots who seek to improve the country's situation by severely harming their enemies.
  5. Insiders – Insider attacks, particularly SAP attacks, are the most frequent attacks that harm companies. In this case, it is necessary to draw distinctions between insider attacks that are malicious, unintentional, and insignificant. The most dangerous attacks are malicious ones because they can frequently go undetected. They appear out of nowhere without warning and might take advantage of weaknesses like the SAP Transport Supply Chain problem. Both internal and external employees are coerced or threatened into doing things that are bad for their employer. However, a malicious attack may occur even if the workers disagree with the employer's actions for political reasons.

SAP cyber attackers are from all social classes and have various goals. Some attackers want to make a quick buck, while others just want to have fun or cause trouble. Of course, SAP cyber attackers who are well-funded and aim for a tactical end, like espionage, are especially dangerous. The stereotype of SAP cyber attackers is untrue; they do not sit in a dimly lit room in front of numerous screens, preferably wearing a black hoodie. Businesses must accept the possibility of attacks at any time and from any angle. As a result, creating a personal risk profile and determining the attack surface will help companies implement effective defenses.

About the author: Christoph Nagy has 20 years of working experience within the SAP industry. He has utilized this knowledge as a founding member and CEO at SecurityBridge–a global SAP security provider, serving many of the world's leading brands and now operating in the U.S. Through his efforts, the SecurityBridge Platform for SAP has become renowned as a strategic security solution for automated analysis of SAP security settings, and detection of cyber attacks in real-time. Before SecurityBridge, Nagy applied his skills as an SAP technology consultant at Adidas and Audi.



Courtesy of BigStock.com
Cybersecurity and cyber risk are terms that need to be properly defined.