Chinese most likely using one of top three most common SAP exploits, as identified by Onapsis, to compromise US agencies

The Hill publication reported on November 3, 2014 that Chinese hackers roamed around unnoticed for months inside the network of USIS, is the biggest commercial provider of background investigations to the federal U.S. government.[1] In fact, two of the company’s biggest customers were the Department of Homeland Security (DHS) and the Office of Personnel Management (OPM). The company performs several thousands of secret background investigations per month; however, this fact became noticed by the public after two renowned cases: the background investigations on Aaron Alexis (Washington Navy Yard shooter) and Edward Snowden (for disclosing top secret materials from the National Security Agency). On August 6th, 2014, USIS published a press release stating they were hacked by an external entity, and the suspicion that it was a state-sponsored attack (

 Much has been said about this breach, especially the consequence of suspending government contracts with federal agencies (DHS, OPM), causing USIS the loss of millions of dollars and laying off thousands of investigators [1]. Initially, the date and scope of the attack, as well as the exposed information, were not specified. However it was later confirmed that the internal records of at least 25,000 employees of Department of Homeland Security as well as undercover investigators were exposed during this attack, including Social Security numbers, education and criminal history, birth dates along with marital information, other relatives and friends, names and addresses [2]. After the breach, USIS hired the digital forensics company Stroz Friedberg to perform the investigation. On September 2014, a letter from Stroz read: "The initial attack vector was a vulnerability in an application server, housed in a connected, but separate network, managed by a third party not affiliated with USIS." Earlier this week, this attack became noticed again when Nextgov [3] published some details about the report produced by the forensics firm on December 2014.

The original report claimed "Forensic evidence shows the cyberattacker gained access to USIS systems through an exploit in a system managed by a third party, and from there migrated to company managed systems. . . . Our findings were largely informed by a variety of logs, including, firewall logs, security event logs, VPN logs, and SAP application trace logs." USIS spokeswoman, Ellen Davies, also said in the report "the third-party contractor was hacked and the hacker was then able to navigate into the USIS network via the third party’s network." According to THE HILL [4], the forensics report points out an SAP vulnerability as the hackers' door in. Moreover, several sources [1][4][9][10] highlight that this state-sponsored attack is related to Chinese hackers. On March 2014, hackers who have penetrated computers at the Office of Personnel Management were traced to China; that attack was targeted to the files of tens of thousands of employees who have applied for top-secret security clearances [5]. This time, investigators are saying the USIS attack has several hallmarks to past Chinese intrusions like the one at OPM [1].

This breach illustrates a reality that often is not reported in mainstream news: the impact of cyber-attacks on SAP Systems to retrieve critical and confidential information. Attackers were able to access the USIS network in late 2013 but weren't discovered until June 2014[6]. This means that the attackers had at least 6 months of access to internal and sensitive information without being noticed. The damage is difficult to estimate and shows the current lack of awareness around how SAP systems must be protected and monitored. The report states that the vulnerability is "present in a widely used and highly-regarded enterprise resource planning (‘ERP’) software package", however, there aren’t any details about the specific vulnerability or set of vulnerabilities that were used to compromise the SAP System. Since the attack originated in late 2013, it is important to analyze the known vulnerabilities that were patched by SAP at that time, as well as the vulnerabilities patched after that date, which indicates the possibility of using 0-day exploits. Since the details are unknown, there is no way to specify whether the attackers used an exploit that was still not still patched by SAP, or if it was USIS who didn't patch a well-known vulnerability. According to the articles and research, USIS attackers exploited this SAP vulnerability externally in order to access the company network. Once inside the network they used it to pivot to other systems.

Onapsis also recently released a study on top 3 SAP Cyber Attacks with one focused on “pivoting” [11][12][13][14], . This is a common approach used by attacker’s to gain access to employee data, customer information or even credit card data “Pivoting” Between SAP Systems. The attack begins with a pivot from a system with lower security such as a development or QA system, to a critical system in order to execute remote function module in the destination system. SAP systems are connected to the Internet and a single weak link is required for the attackers to start pivoting between systems and to then begin moving through the internal network. This appears to be the behavior described for the USIS hackers. SAP systems have always been a target for hackers as they run the most critical and sensitive processes for the largest companies and government agencies in the world. Examples such as the USIS breach are showing the importance of protecting our SAP Systems and eradicates the false idea of business critical applications being “internal and isolated” as we often hear from SAP administrators. SAP itself has acknowledged the criticality of this topic, while presenting at its own conference, SAP TechEd 2014 as well as presenting cyber-crime related talks at SAP SAPPHIRE 2015, "SAP Runs SAP – How to Hack 95% of all SAP ABAP Systems and How to Protect them". It seems that hackers are knocking on the doors of our business-critical applications.

As these kind of attacks are increasing, companies should move towards to the next steps in business critical applications security. Onapsis Research Labs, experts since 2006 has been tracking other examples in the wild of this common attack vector and will be publishing a report at a later date. In the meantime, attackers are moving faster and companies and governments need to be prepared; automated, continuous monitoring and real-time security measures are the next step to solve and mitigate these ever evolving threats. To discuss this issue in greater detail, Onapsis will be hosting a webcast on Thursday May 21st at both 9:00 A.M. EST and 2:00 P.M. EST. For more information, or to register please click here.












[11]: Onapsis SSID - Volume IV: The Invoker Servlet – A Dangerous Detour into SAP Java Solutions

[12]: Onapsis SSID - Volume V: Our Crown Jewels Online – Attacks targeting SAP Web Applications

[13]: Onapsis SSID - Volume VI: Securing the Gates to the Kingdom – Auditing the SAProuter [14]: Onapsis SSID - Volume VII: Preventing Cyber-attacks Against SAP Solution Manager  

Leave a comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

Subscribe to our monthly newsletter, the Defender's Digest!