From Automated Scans to Hands-On-Keyboard

From Automated Scans to Hands-On-Keyboard:

China-Nexus APTs Exploited SAP NetWeaver to Breach Critical Infrastructure Networks

In April–May 2025, China-nexus nation-state APT groups exploited SAP NetWeaver vulnerabilities to breach energy and water utility networks across EMEA and the US. Analysis of an attacker-controlled open directory revealed TXT files named in Mandarin that contained list of victims and the attacker’s bash history. These artifacts allowed analysts to reconstruct the complete cyber kill chain from mass scanning to hands-on-keyboard operations.

Attendees will learn how these intrusions enable cyber espionage and provide the potential capability for disruptive operations that could be leveraged in support of the People’s Republic of China’s strategic interests during geopolitical crises. I will detail how the adversaries pivoted into cloud networks and OT environments while also explaining how intelligence sharing with national CERTs and affected organizations helped disrupt further compromise. Attendees will gain both technical detection opportunities and lessons for operationalizing intelligence sharing to protect critical infrastructure networks.