State-Sponsored Cyber Attacks: An Increasing Threat to SAP Solutions

Layer Seven on February 24, 2026

State-sponsored cyber attacks are an increasing threat to organizations amid rising geopolitical tensions. According to the 2025 State of Information Security Report, 88% of cybersecurity and information security leaders express concern over state-sponsored cyber attacks. The concerns are driven by recent dramatic increases in the volume of threat activity attributed to state sponsored threat actors.

According to the CrowdStrike 2025 Global Threat Report, China-nexus threat activity increased by 150% across sectors, with 200–300% increases in key industries including financial services, media, manufacturing, and engineering. CrowdStrike also identified seven new China-nexus adversaries, indicating broader and more specialized operations. The 2026 Global Threat Report reported a 266% increase in intrusions by state-nexus threat actors in cloud environments.

The 2025 Digital Defense Report from Microsoft identified a significant escalation in Russian state-linked cyber operations directed at NATO-aligned countries, reporting a 25% year-over-year increase in activity. The report indicates that Russian threat actors are prioritizing sectors with high intelligence and geopolitical value, including government, research and academia, and IT, reflecting a sustained effort to collect intelligence, shape decision-making, and support hybrid warfare objectives.

The 2025 M-Trends Report from Mandiant identified a 35% increase in malware attributed to Iran-nexus threat actors and 45 new malware strands attributed primarily to state-sponsored actors.

A 2026 report by the Google Threat Intelligence Group highlighted that nation state actors are not just targeting IT infrastructure within critical sectors, but often personally-identifiable information that can provide a pathway to targeting individuals.

The increase in nation-state cyber activity disproportionately impacts SAP environments that support mission-critical processes, store and process high-value data, and offer privileged integration paths to other critical solutions. Compromising SAP systems can enable state sponsored threat actors to perform espionage by accessing and exfiltrating sensitive data, and sabotage by interrupting the availability of critical resources. Breaches can also be used to pivot to connected systems and compromise internal and external supply chains.

The risks are amplified by the wide attack surface of many SAP solutions. This includes Application Programming Interfaces (APIs) that extend beyond internal network boundaries, cross-platform dependencies including database and OS platforms and middleware such as connectors, integration with federated identity providers, and internal trust relationships.

The risks are also increased by the volume of vulnerabilities in SAP solutions and challenges in patching SAP environments to address the root causes of vulnerabilities. According to the 2026 CrowdStrike Global Threat Report, 42% of vulnerabilities are exploited before public disclosure. Research released in 2025 indicated that threat actors are exploiting SAP security vulnerabilities within 72 hours of disclosure. The average time to apply security notes to patch SAP vulnerabilities in organizations is typically measured in weeks and months, rather than hours and days.

Nation-state actors often prefer access paths that blend into legitimate administrative behavior. In SAP landscapes, this can mean abuse of:

  • Trusted communications
  • Change management and system administration
  • Batch/background jobs
  • Transport processes
  • Service accounts
  • Remote support channels

Therefore, it is critical to identify and address:

  • Weakly governed RFC destinations, including over-privileged service users
  • Insecure, unencrypted RFC and web-based communications
  • Poorly restricted gateway registrations and access control for external program starts
  • Over-exposed ICF services
  • Unnecessary trusted system relationships
  • Excessive administrative privileges including broad RFC authorizations

In order to support detection, SAP telemetry should be integrated and correlated with telemetry from other endpoints to distinguish between normal SAP events and malicious actions. Also, anomaly-based monitoring is recommended to detect unusual system and user events.

The Cybersecurity Extension for SAP (CES) enables organizations to detect and respond to state-sponsored cyber threats in real time by combining continuous vulnerability management and threat detection for SAP solutions. CES is designed specifically for SAP landscapes (on-premise, cloud, and hybrid) and delivers real-time security intelligence to identify vulnerabilities and indicators of compromise in SAP applications and infrastructure. It monitors a broad set of SAP telemetry sources including SAP and infrastructure logs, providing security teams with deeper context than generic non-SAP specific tools that focus on network and host-level activity.

A key advantage for defending against advanced threats is the solution’s ability to reduce the attack surface to prevent exploitation. It performs scheduled scans for thousands of SAP vulnerabilities and misconfigurations, detects users with administrative privileges, and provides practical remediation guidance and workarounds to harden systems. CES also detects required SAP security notes including patches for Known Exploited Vulnerabilities for SAP in the CISA KEV catalog.

CES uses both pattern matching and anomaly detection to detect indicators of compromise in SAP solutions. Alerts for security incidents are integrated with enterprise SIEM platforms for cross-network analysis and correlation, enabling SOC teams to connect SAP activity with events from firewalls, endpoints, identity systems, and other infrastructure.