Chinese state-sponsored hacking groups exploited a critical SAP vulnerability to breach 581 systems across global critical infrastructure networks in April 2025, marking one of the most extensive cyber campaigns targeting strategic organizations worldwide.
The attackers utilized CVE-2025-31324, an unauthenticated file upload vulnerability in SAP NetWeaver Visual Composer that permits remote code execution on affected systems.
Security researchers identified three distinct threat actor groups involved in the campaign: UNC5221, UNC5174, and CL-STA-0048, based on their distinctive tradecraft patterns. The attackers employed Nuclei, a mass reconnaissance tool, to systematically scan internet-connected systems for vulnerable SAP NetWeaver instances.
Evidence of the operation’s scope emerged from publicly exposed directories on attacker-controlled infrastructure hosted at IP address 15.204.56[.]106, which contained detailed event logs documenting the compromised systems.
The campaign particularly targeted organizations with strategic significance, including the Office of Foreign Assets Control and the Office of the Treasury Secretary. Both Treasury offices had previously administered economic sanctions against Chinese companies in 2024, targeting entities engaged in cyberattacks or providing weapons to Russia.
The “Silk Typhoon” hacking group compromised Commvault enterprise cloud systems, maintaining persistent access to critical environments. South Korean financial institutions reported increased cyber risks during this period, with attacks specifically designed to destabilize economic operations.
Geographic impact extended across multiple continents, with South Korea’s national systems experiencing significant disruption and Taiwan facing approximately 2.4 million daily cyberattacks on government networks throughout 2024. The U.S. Treasury Department confirmed a state-sponsored cyberattack in early December 2024, demonstrating the campaign’s reach into high-value government targets.
Security analysts assess that these operations serve broader military and strategic objectives, potentially laying groundwork to disrupt U.S. military supply lines during future conflicts. The attacks particularly focus on preparing tactical advantages in potential Taiwan conflict scenarios, employing hybrid tactics that simultaneously target economic competitiveness and critical infrastructure resilience.
The technical sophistication of the campaign, combined with detailed logging systems found on compromised infrastructure, suggests a highly organized operation designed to maximize disruption potential across ICT-dependent societies. Commvault reported that only a small number of customers were affected despite the broader scope of the intrusion.
This campaign represents a significant escalation in Beijing’s deployment of cyber capabilities against strategic competitors.
