Full Report
Researchers at EclecticIQ assess with high confidence that, in April 2025, China-nexus nation-state APTs (Advanced Persistent Threats) launched... The post EclecticIQ details Chinese state-backed hackers launch global attacks on critical infrastructure via SAP vulnerability appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: China-Nexus Nation-State APTs (Likely UNC5174)
## Attribution & Identity
**Attribution:** High confidence China-nexus nation-state Advanced Persistent Threat (APT) actor(s).
**Associated Groups/Aliases:** UNC5221, UNC5174, CL-STA-0048.
**Affiliation:** Intelligence suggests linkage to China’s Ministry of State Security (MSS) or affiliated private entities. UNC5174 previously linked to exploitation of F5 BIG-IP (CVE-2023-46747) and ConnectWise ScreenConnect (CVE-2024-1709). CL-STA-0048 is tracked by Unit 42 and has a history of targeting strategic sectors in South Asia.
## Activity Summary
In April 2025, these actors launched high-tempo exploitation campaigns targeting critical infrastructure networks globally, specifically focusing on vulnerabilities in SAP NetWeaver Visual Composer. The primary method involved exploiting **CVE-2025-31324**, an unauthenticated file upload vulnerability leading to Remote Code Execution (RCE). Analysis of attacker-controlled, publicly exposed infrastructure (opendir) revealed mass reconnaissance scans (using Nuclei) against exposed SAP NetWeaver instances, successful exploitation logs, and deployment of Webshells for persistence. The actors conduct reconnaissance post-exploitation, primarily focusing on identifying backup details for lateral movement and mapping SAP-specific applications. The consistent infrastructure, malware reuse (SNOWLIGHT downloader, VShell), and tactical overlap provide strong evidence linking the activity to UNC5174.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploitation of unauthenticated file upload vulnerability in SAP NetWeaver Visual Composer (**CVE-2025-31324**).
- **Reconnaissance/Scanning:** Mass internet scanning using **Nuclei** to identify vulnerable SAP NetWeaver systems.
- **Execution:** Remote Linux command execution via deployed **Webshells** post-exploitation.
- **Persistence:** Deployment of **Webshells** to maintain remote access.
- **Defense Evasion:** Use of **in-memory implants** and **runtime evasion tactics** (observed in related UNC5174 activity).
- **Command and Control (C2):** Use of the **ping command for DNS beaconing**.
- **Lateral Movement:** Identifying backup details and metadata in SAP systems to facilitate movement.
- **Tooling Overlap:** Known reuse of the **SNOWLIGHT downloader** and use of **VShell** in cloud/container environments.
- **MITRE ATT&CK IDs:** Not explicitly provided, but associated tradecraft suggests techniques across Initial Access, Execution, Persistence, and Command and Control.
## Targeting
- **Sectors:** Critical Infrastructure (CI), encompassing natural gas distribution, water/waste management, advanced medical device manufacturing, upstream oil and gas exploration/production, and government entities (financial regulation/investment strategy).
- **Geography:** Global targeting observed, specifically noted in the **U.K.** (gas/water/waste), **U.S.** (medical devices/oil & gas), and **Saudi Arabia** (government ministries).
- **Victims:** Critical infrastructure operators and government-affiliated entities vital to public welfare and national resilience.
## Tools & Infrastructure
- **Malware families used:** **SNOWLIGHT downloader** (noted in broader UNC5174 context), **Webshells** (post-exploitation), **VShell** (observed by Sysdig in related environments).
- **Infrastructure (C2, domains, IPs):** Attacker-controlled server hosted at IP address `15.204.56[dot]106` exposed detailed logs via an open directory. Tools utilized include **Nuclei** for scanning.
## Implications
This campaign signifies a sustained, strategic cyber-espionage effort by China-linked APTs against high-value enterprise and critical infrastructure systems. Compromise of SAP systems grants high-privilege access, bridging IT networks with integrated ICS/OT environments, raising the severe risk of long-term espionage, surveillance, and potential disruption of essential services during geopolitical crises. The actors seek foundational access for strategic advantage (military, intelligence, economic).
## Mitigations
- Immediately patch or mitigate vulnerabilities in SAP NetWeaver Visual Composer, specifically addressing **CVE-2025-31324**.
- Review critical SAP systems for signs of Webshell deployment or evidence of post-exploitation activity such as remote command execution or unusual use of the **ping command** for DNS tunneling/beaconing.
- Implement stringent network segmentation between IT and OT/ICS environments, especially where SAP systems serve as integration points.
- Monitor for lateral movement attempts targeting backup metadata on enterprise systems.