Understanding Threat Actors Attacking SAP with Onapsis

In April 2024, Onapsis released its groundbreaking report ‘Ch4tter: Threat Actors Attacking SAP for Profit.’ In conjunction with Flashpoint, Onapsis provided a comprehensive study on the threats that SAP organizations face. One year later, the research is as relevant and important as ever, as SAP security remains a critical concern for businesses.

The research has shown that, despite longstanding warnings from CISA, SAP, and Onapsis itself, many organizations were unaware of the real and evolving threats to their SAP landscapes. However, the release of the CH4TTER report marked a turning point—business leaders and IT professionals became more receptive to actionable intelligence that clarified the true risks and vulnerabilities within SAP systems.

Understanding the Research

The report resonated with organizations because it provided visual, data-driven insights—such as ransomware trends and botnet attack anatomy—that executives could use to advocate for increased cybersecurity investment. These tools helped teams validate SAP systems as legitimate attack surfaces, communicate risks to boards, and implement improved monitoring and defense strategies.

Importantly, the research showed that simply patching known vulnerabilities is not enough. Threats remain active and dynamic. A notable example is CVE-2017-12637, a vulnerability added to CISA’s Known Exploited Vulnerabilities (KEV) list as recently as March 2025, proving that even older flaws are still exploited today.

Onapsis’ ongoing Anatomy of an Attack research has been instrumental in helping organizations understand the behavior and goals of attackers. Beyond traditional targets like financial data and personal information, attackers are now using SAP systems to launch indirect attacks on other businesses—masking their origin and potentially implicating innocent companies. One real-world consequence of this was Stoli’s bankruptcy, which cited a ransomware attack affecting its SAP systems as a contributing factor.

Finding Solutions

To better protect against such outcomes, Onapsis strongly advocates for regular penetration testing (pentesting). Their experience shows that most organizations are unaware of how vulnerable their SAP systems truly are—Onapsis often achieves full compromise during initial tests. These findings often shock executives but also highlight the value of consistent testing and proactive cybersecurity strategies.

Onapsis has continued in its mission to help educate the public about the potential threat that SAP systems face. Recently, at the SAPinsider Vegas 2025 event, it announced the release of the first-ever dedicated SAP cybersecurity book ‘Cybersecurity for SAP.’ Authored by JP Perez-Etchegoyen and Gaurav Singh, this resource aims to fill a long-standing knowledge gap by offering practical lessons and guidance.

Onapsis has also provided an on-demand webinar that aims to help SAP organizations find insights and actionable advice to help them navigate the cloud more securely. In the webinar ‘Securing SAP in the Cloud: Best Practices to RISE Above for Enterprise Success,’ Onapsis and Capgemini provide an update on the threats in the SAP landscape, as well as best practices to help overcome them.

What This Means for SAPinsiders

SAP investments are worth protecting. Companies should not underestimate the complexity or frequency of attacks on SAP landscapes, nor should they overlook the potential financial and reputational damage an attack can cause.

Trust experience to keep you safe. With threats constantly evolving, organizations should have a supportive network to ensure safety. Companies should pay attention to the latest releases from sources like Onapsis to ensure that they are aware of the latest developments in the SAP securing landscape.

Adopt a learning mentality. External threats will always be a challenge that companies should overcome. The best way to do this is to prepare internally. Ongoing research, regular security assessments, better board-level communication, and investment in cybersecurity expertise are critical for businesses to protect themselves and the broader digital economy