Blog
/
OT
/
December 16, 2024

Breaking Down Nation State Attacks on Supply Chains

Explore how nation-state supply chain attacks like 3CX, NotPetya, and SolarWinds exploited trusted providers to cause global disruption, highlighting the urgent need for robust security measures.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Benjamin Druttman
Cyber Security AI Technical Instructor
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
16
Dec 2024

Introduction: Nation state attacks on supply chains

In recent years, supply chain attacks have surged in both frequency and sophistication, evolving into one of the most severe threats to organizations across almost every industry. By exploiting third-party vendors and service providers, these attacks can inflict widespread disruption with a single breach. They have become a go-to choice for nation state actors and show no signs of slowing down. According to Gartner, the costs from these attacks will skyrocket “from $46 billion in 2023 to $138 billion by 2031” [1].  

But why are supply chains specifically such an irresistible target for threat actors? Dwight D. Eisenhower, the General of the US Army in World War II and former US President, once said, “you won’t find it difficult to prove that battles, campaigns, and even wars have been won or lost primarily because of logistics.”

The same is true in cyberspace and cyberwarfare. We live in an increasingly interconnected world. The provision of almost every service integral to our daily lives relies on a complex web of interdependent third parties.  

Naturally, threat actors gravitate towards these service providers. By compromising just one of them, they can spread through supply chains downstream to other organizations and raise the odds of winning their battle, campaign, or war.  

software supply chain sequence
Figure 1: Software supply chain attack cycle

A house built on open-source sand

Software developers face immense pressure to produce functional code quickly, often under tight deadlines. Adding to this challenge is the need to comply with stringent security requirements set by their DevSecOps counterparts, who aim to ensure that code is safe from vulnerabilities.  

Open-source repositories alleviate some of this pressure by providing pre-built packages of code and fully functioning tools that developers can freely access and integrate. These highly accessible resources enhance productivity and boost innovation. As a result, they have a huge, diverse user base spanning industries and geographies. However, given their extensive adoption, any security lapse can result in widespread compromise across businesses.

Cautionary tales for open-source dependencies

This is exactly what happened in December 2021 when a remote code execution vulnerability was discovered in Log4J’s software. In simple terms, it exposed an alarmingly straightforward way for attackers to take control of any system using Log4J.  

The scope for potential attack was unprecedented. Some estimates say up to 3 billion devices were affected worldwide, in what was quickly labelled the “single biggest, most critical vulnerability of the last decade” [2].

What ensued was a race between opportunistic nefarious actors and panicked security professionals. The astronomical number of vulnerable devices laid expansive groundwork for attackers, who quickly began probing potentially exploitable systems. 48% of corporate networks globally were scanned for the vulnerability, while security teams scrambled to apply the remediating patch [3].

The vulnerability attracted nation states like a moth to a flame, who, unsurprisingly, beat many security teams to it. According to the FBI and the US Cybersecurity and Infrastructure Agency (CISA), Iranian government-sponsored threat groups were found using the Log4J vulnerability to install cryptomining software, credential stealers and Ngrok reverse proxies onto no less than US Federal networks [4].  

Research from Microsoft and Mandiant revealed nation state groups from China, North Korea and Turkey also taking advantage of the Log4J vulnerability to deploy malware on target systems [5].  

If Log4j taught us anything, it’s that vulnerabilities in open-source technologies can be highly attractive target for nation states. When these technologies are universally adopted, geopolitical adversaries have a much wider net of opportunity to successfully weaponize them.  

It therefore comes as no surprise that nation states have ramped up their operations targeting the open-source link of the supply chain in recent years.  

Since 2020, there has been a 1300% increase in malicious threats circulating on open-source repositories. PyPI is the official open-source code repository for programming done in the Python language and used by over 800,000 developers worldwide. In the first 9 months of 2023 alone, 7,000 malicious packages were found on PyPI, some of which were linked to the North Korea state-sponsored threat group, Lazarus [6].  

Most of them were found using a technique called typosquatting, in which the malicious payloads are disguised with names that very closely resemble those of legitimate packages, ready for download by an unwitting software developer. This trickery of the eye is an example of social engineering in the supply chain.  

A hop, skip, and a jump into the most sensitive networks on earth

One of the most high-profile supply chain attacks in recent history occurred in 2023, targeting 3CX’s Desktop App – a widely used video communications by over 600,000 customers in various sectors such as aerospace, healthcare and hospitality.

The incident gained notoriety as a double supply chain attack. The initial breach originated from financial trading software called X_Trader, which had been infected with a backdoor.  A 3CX employee unknowingly downloaded the compromised X_Trader software onto a corporate device. This allowed attackers to steal the employee’s credentials and use them to gain access to 3CX’s network, spread laterally and compromising Windows and Mac systems.  

The attack moved along another link of the supply chain to several of 3CX’s customers, impacting critical national infrastructure like energy sector in US and Europe.  

For the average software provider, this attack shed more light on how a compromise of their technology could cause chaos for their customers.  

But nation states already knew this. The 3CX attack was attributed, yet again, to Lazarus, the same North Korean nation state blamed for implanting malicious packages in the Python repository.  

It’s also worth mentioning the astounding piece of evidence in a separate social engineering campaign which linked the 3CX hack to North Korea. It was an attack worthy of a Hollywood cyber block buster. The threat group, Lazarus, lured hopeful job candidates on LinkedIn into clicking on malicious ZIP file disguised as an attractive PDF offer for a position as a Developer at HSBC. The malware’s command and control infrastructure, journalide[.]org, was the same one discovered in the 3CX campaign.  

Though not strictly a supply chain attack, the LinkedIn campaign illustrates how nation states employ a diverse array of methods that span beyond the supply chain to achieve their goals. These sophisticated and well-resourced adversaries are adaptable and capable of repurposing their command-and-control infrastructure to orchestrate a range of attacks. This attack, along with the typosquatting attacks found in PyPI, serve as a critical reminder for security teams: supply chain attacks are often coupled with another powerful tactic – social engineering of human teams.

When the cure is worse than the disease

Updates to the software are a core pillar of cybersecurity, designed to patch vulnerabilities like Log4J and ensure it is safe. However, they have also proven to serve as alarmingly efficient delivery vessels for nation states to propagate their cyberattacks.  

Two of the most prolific supply chain breaches in recent history have been deployed through malicious updates, illustrating how they can be a double-edged sword when it comes to cyber defense.  

NotPetya (2017) and Solarwinds (2020)

The 2017 NotPetya ransomware attack exemplified the mass spread of ransomware via a single software update. A Russian military group injected malware on accounting software used by Ukrainian businesses for tax reporting. Via an automatic update, the ransomware was pushed out to thousands of customers within hours, crippled Ukrainian infrastructure including airports, financial institutions and government agencies.  

Some of the hardest hit victims were suppliers themselves. Maersk, the global shipping giant responsible for shipping one fifth of the world’s goods, had their entire global operations brought to a halt and their 76 ports temporarily shut down. The interruptions to global trade were then compounded when a FedEx subsidiary was hit by the same ransomware. Meanwhile, Merck, a pharmaceutical company, was unable to supply vaccines to the Center for Disease Control and Prevention due to the attack.  

In 2020, another devastating supply chain attack unfolded in a similar way. Threat actors tied to Russian intelligence embedded malicious code into Solarwinds’ Orion IT software, which was then distributed as an update to 18,000 organizations. Victims included at least eight U.S. government agencies, as well as several major tech companies.  

These two attacks highlighted two key lessons. First, in a hyperconnected digital world, nation states will exploit the trust organizations place in software updates to cause a ripple effect of devastation downstream. Secondly, the economies of scale for the threat actor themselves are staggering: a single malicious update provided the heavy lifting work of dissemination to the attacker. A colossal number of originations were infected, and they obtained the keys to the world’s most sensitive networks.

The conclusion is obvious, albeit challenging to implement; organizations must rigorously scrutinize the authenticity and security of updates to prevent far-reaching consequences.  

Some of the biggest supply chain attacks in recent history and the nation state actor they are attributed to
Figure 2: Some of the biggest supply chain attacks in recent history and the nation state actor they are attributed to

Geopolitics and nation States in 2024: Beyond the software supply chain

The threat to our increasingly complex web of global supply is real. But organizations must look beyond their software to successfully mitigate supply chain disruption. Securing hardware and logistics is crucial, as these supply chain links are also in the crosshairs of nation states.  

In July 2024, suspicious packages caused a warehouse fire at a depot belonging to courier giant DHL in Birmingham, UK. British counter-terrorism authorities investigated Russian involvement in this fire, which was linked to a very similar incident that same month at a DHL facility in Germany.  

In September 2024, camouflaged explosives were hidden in walkie talkies and pagers in Lebanon and Syria – a supply chain attack widely believed to be carried out by Israel.

While these attacks targeted hardware and logistics rather than software, the underlying rule of thumb remained the same: the compromise of a single distributor can provide the attackers with considerable economies of scale.

These attacks sparked growing concerns of coordinated efforts to sabotage the supply chain. This sentiment was reflected in a global survey carried out by HP in August 2024, in which many organisations reported “nation-state threat actors targeting physical supply chains and tampering with device hardware and firmware integrity” [7].

More recently, in November 2024, the Russian military unit 29155 vowed to “turn the lights out for millions” by threatening to launch cyberattacks on the blood supply of NATO countries, critical national infrastructure (CNI). Today, CNI encompasses more than the electric grid and water supply; it includes ICT services and IT infrastructure – the digital systems that underpin the foundations of modern society.    

This is nothing new. The supply and logistics-focused tactic has been central to warfare throughout history. What’s changed is that cyberspace has merely expanded the scale and efficiency of these tactics, turning single software compromises into attack multipliers. The supply chain threat is now more multi-faceted than ever before.  

Learnings from the supply chain threat landscape

Consider some of the most disastrous nation-state supply chain attacks in recent history – 3CX, NotPetya and Solarwinds. They share a remarkable commonality: the attackers only needed to compromise a single piece of software to cause rampant disruption. By targeting a technology provider whose products were deeply embedded across industries, threat actors leveraged the trust inherent in the supply chain to infiltrate networks at scale.

From a nation-state’s perspective, targeting a specific technology, device or service used by vast swathes of society amplifies operational efficiency. For software, hardware and critical service suppliers, these examples serve as an urgent wake-up call. Without rigorous security measures, they risk becoming conduits for global disruption. Sanity-checking code, implementing robust validation processes, and fostering a culture of security throughout the supply chain are no longer optional—they are essential.  

The stakes are clear: in the interconnected digital age, the safety of countless systems, industries and society at large depends on their vigilance.  

Screenshot of supply chain security whitepaper

Gain a deeper understanding of the evolving risks in supply chain security and explore actionable strategies to protect your organization against emerging threats. Download the white paper to empower your decision-making with expert insights tailored for CISOs

Download: Securing the Supply Chain White Paper

References

  1. https://www.gartner.com/en/documents/5524495
  1. CISA Insights “Remediate Vulnerabilities for Internet-Accessible Systems.”
  1. https://blog.checkpoint.com/security/the-numbers-behind-a-cyber-pandemic-detailed-dive/
  1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a  
  1. https://www.microsoft.com/en-us/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/  
  1. https://content.reversinglabs.com/state-of-sscs-report/the-state-of-sscs-report-24  
  1. https://www.hp.com/us-en/newsroom/press-releases/2024/hp-wolf-security-study-supply-chains.html
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Benjamin Druttman
Cyber Security AI Technical Instructor

More in this series

No items found.

Blog

/

Network

/

June 16, 2025

Tracking CVE-2025-31324: Darktrace’s detection of SAP Netweaver exploitation before and after disclosure 

person working on laptopDefault blog imageDefault blog image

Introduction: Exploiting SAP platforms

Global enterprises depend extensively on SAP platforms, such as SAP NetWeaver and Visual Composer, to run critical business processes worldwide. These systems; however, are increasingly appealing targets for well-resourced adversaries:

What is CVE-2025-31324?

CVE-2025-31324 affects SAP’s NetWeaver Visual Composer, a web-based software modeling tool. SAP NetWeaver is an application server and development platform that runs and connects SAP and non-SAP applications across different technologies [2]. It is commonly used by process specialists to develop application components without coding in government agencies, large enterprises, and by critical infrastructure operators [4].

CVE-2025-31324 affects SAP’s Netweaver Visual Composer Framework 7.1x (all SPS) and above [4]. The vulnerability in a Java Servlet (/irj/servlet_jsp) would enable an unauthorized actor to upload arbitrary files to the /developmentserver/metadatauploader endpoint, potentially resulting in remote code execution (RCE) and full system compromise [3]. The issue stems from an improper authentication and authorization check in the SAP NetWeaver Application Server Java systems [4].

What is the severity rating of CVE-2025-31324?

The vulnerability, first disclosed on April 24, 2025, carries the highest severity rating (CVSS v3 score: 10.0) and could allow remote attackers to upload malicious files without requiring authentication [1][5]. Although SAP released a workaround on April 8, many organizations are hesitant to take their business-critical SAP NetWeaver systems offline, leaving them exposed to potential exploitation [2].

How is CVE-2025-31324 exploited?

The vulnerability is exploitable by sending specifically crafted GET, POST, or HEAD HTTP requests to the /developmentserver/metadatauploader URL using either HTTP or HTTPS. Attackers have been seen uploading malicious files (.jsp, .java, or .class files to paths containing “\irj\servlet_jsp\irj\”), most of them being web shells, to publicly accessible SAP NetWeaver systems.

External researchers observed reconnaissance activity targeting this vulnerability in late January 2025, followed by a surge in exploitation attempts in February. The first confirmed compromise was reported in March [4].

Multiple threat actors have reportedly targeted the vulnerability, including Chinese Advanced Persistent Threats (APTs) groups Chaya_004 [7], UNC5221, UNC5174, and CL-STA-0048 [8], as well as ransomware groups like RansomEXX, also known as Storm-2460, BianLian [4] or Qilin [6] (the latter two share the same indicators of  compromise (IoCs)).

Following the initial workaround published on April 8, SAP released a security update addressing CVE-2025-31324 and subsequently issued a patch on May 13 (Security Note 3604119) to resolve the root cause of the vulnerability [4].

Darktrace’s coverage of CVE-2025-31324 exploitation

Darktrace has observed activity indicative of threat actors exploiting CVE-2025-31324, including one instance detected before the vulnerability was publicly disclosed.

In April 2025, the Darktrace Threat Research team investigated activity related to the CVE-2025-31324 on SAP devices and identified two cases suggesting active exploitation of the vulnerability. One case was detected prior to the public disclosure of the vulnerability, and the other just two days after it was published.

Early detection of CVE 2025-31324 by Darktrace

Timeline of events for an internet-facing system, believed to be a SAP device, exhibiting activity indicative of CVE-2025-31324 exploitation.
Figure 1: Timeline of events for an internet-facing system, believed to be a SAP device, exhibiting activity indicative of CVE-2025-31324 exploitation.

On April 18, six days prior to the public disclosure of CVE-2025-31324, Darktrace began to detect unusual activity on a device belonging to a logistics organization in the Europe, the Middle East and Africa (EMEA) region. Multiple IoCs observed during this incident have since been linked via OSINT to the exploitation of CVE-2025-31324. Notably, however, this reporting was not available at the time of detection, highlighting Darktrace’s ability to detect threats agnostically, without relying on threat intelligence.

The device was observed making  domain name resolution request for the Out-of-Band Application Security Testing (OAST) domain cvvr9gl9namk9u955tsgaxy3upyezhnm6.oast[.]online. OAST is often used by security teams to test if exploitable vulnerabilities exist in a web application but can similarly be used by threat actors for the same purpose [9].

Four days later, on April 22, Darktrace observed the same device, an internet-facing system believed to be a SAP device, downloading multiple executable (.exe) files from several Amazon Simple Storage Service (S3). Darktrace’s Threat Research team later found these files to be associated with the KrustyLoader  malware [23][24][25].

KrustyLoader is known to be associated with the Chinese threat actor UNC5221, also known as UTA0178, which has been reported to aggressively target devices exposed to the internet [10] [14] [15]. It is an initial-stage malware which downloads and launches a second-stage payload – Sliver C2. Sliver is a similar tool to Cobalt Strike (an open-source post-exploitation toolkit). It is used for command-and-control (C2) connections [11][12]13]. After its successful download, KrustyLoader deletes itself to evade detection.  It has been reported that multiple Chinese APT groups have deployed KrustyLoader on SAP Netweaver systems post-compromise [8].

The actors behind KrustyLoader have also been associated with the exploitation of zero-day vulnerabilities in other enterprise systems, including Ivanti devices [12]. Notably, in this case, one of the Amazon S3 domains observed (abode-dashboard-media.s3.ap-south-1.amazonaws[.]com ) had previously been investigated by Darktrace’s Threat Research team as part of their investigation into Ivanti Connect Secure (CS) and Policy Secure (PS) appliances.

In addition to the download of known malicious files, Darktrace also detected new IoCs, including several executable files that could not be attributed to any known malware families or previous attacks, and for which no corresponding OSINT reporting was available.

Post-CVE publication detection

Exploit Validation

Between April 27 and 29, Darktrace observed unusual activity from an SAP device on the network of a manufacturing customer in EMEA.

Figure 2: Darktrace / NETWORK’s detection of an SAP device performing a large volume of suspicious activity between April 27 and April 29.

The device was observed making DNS requests for OAST domains (e.g. aaaaaaaa.d06qqn7pu5a6u25tv9q08p5xhbjzw33ge.oast[.]online and aaaaaaaaaaa.d07j2htekalm3139uk2gowmxuhapkijtp.oast[.]pro), suggesting that a threat actor was testing for exploit validation [9].

Darktrace / NETWORK’s detection of a SAP device making suspicious domain name resolution requests for multiple OAST domains.
Figure 3: Darktrace / NETWORK’s detection of a SAP device making suspicious domain name resolution requests for multiple OAST domains.

Privilege escalation tool download attempt

One day later, Darktrace observed the same device attempting to download an executable file from hxxp://23.95.123[.]5:666/xmrigCCall/s.exe (SHA-1 file hash: e007edd4688c5f94a714fee036590a11684d6a3a).

Darktrace / NETWORK identified the user agents Microsoft-CryptoAPI/10.0 and CertUtil URL Agent during the connections to 23.95.123[.]5. The connections were made over port 666, which is not typically used for HTTP connections.

Multiple open-source intelligence (OSINT) vendors have identified the executable file as either JuicyPotato or SweetPotato, both Windows privilege escalation tools[16][17][18][19]. The file hash and the unusual external endpoint have been associated with the Chinese APT group Gelsemium in the past, however, many threat actors are known to leverage this tool in their attacks [20] [21].

Figure 4: Darktrace’s Cyber AI Analyst’s detection of a SAP device downloading a suspicious executable file from hxxp://23.95.123[.]5:666/xmrigCCall/s.exe on April 28, 2025.

Darktrace deemed this activity highly suspicious and triggered an Enhanced Monitoring model alert, a high-priority security model designed to detect activity likely indicative of compromise. As the customer was subscribed to the Managed Threat Detection service, Darktrace’s Security Operations Centre (SOC) promptly investigated the alert and notified the customer for swift remediation. Additionally, Darktrace’s Autonomous Response capability automatically blocked connections to the suspicious IP, 23.95.123[.]5, effectively containing the compromise in its early stages.

Actions taken by Darktrace’s Autonomous Response to block connections to the suspicious external endpoint 23.95.123[.]5. This event log shows that the connections to 23.95.123[.]5 were made over a rare destination port for the HTTP protocol and that new user agents were used during the connections.
Figure 5: Actions taken by Darktrace’s Autonomous Response to block connections to the suspicious external endpoint 23.95.123[.]5. This event log shows that the connections to 23.95.123[.]5 were made over a rare destination port for the HTTP protocol and that new user agents were used during the connections.

Conclusion

The exploitation of CVE-2025-31324 to compromise SAP NetWeaver systems highlights the persistent threat posed by vulnerabilities in public-facing assets. In this case, threat actors leveraged the flaw to gain an initial foothold, followed by attempts to deploy malware linked to groups affiliated with China [8][20].

Crucially, Darktrace demonstrated its ability to detect and respond to emerging threats even before they are publicly disclosed. Six days prior to the public disclosure of CVE-2025-31324, Darktrace detected unusual activity on a device believed to be a SAP system, which ultimately represented an early detection of the CVE. This detection was made possible through Darktrace’s behavioral analysis and anomaly detection, allowing it to recognize unexpected deviations in device behavior without relying on signatures, rules or known IoCs. Combined with its Autonomous Response capability, this allowed for immediate containment of suspicious activity, giving security teams valuable time to investigate and mitigate the threat.

Credit to Signe Zaharka (Principal Cyber Analyst), Emily Megan Lim, (Senior Cyber Analyst) and Ryan Traill (Analyst Content Lead)

Appendices

List of IoCs

23.95.123[.]5:666/xmrigCCall/s.exe - URL- JuicyPotato/SweetPotato - high confidence

29274ca90e6dcf5ae4762739fcbadf01- MD5 file hash - JuicyPotato/SweetPotato - high confidence

e007edd4688c5f94a714fee036590a11684d6a3a - SHA-1 file hash - JuicyPotato/SweetPotato -high confidence

3268f269371a81dbdce8c4eedffd8817c1ec2eadec9ba4ab043cb779c2f8a5d2 - SHA-256 file hash - JuicyPotato/SweetPotato -high confidence

abode-dashboard-media.s3.ap-south-1.amazonaws[.]com/nVW2lsYsYnv58 - URL- high confidence

applr-malbbal.s3.ap-northeast-2.amazonaws[.]com/7p3ow2ZH - URL- high confidence

applr-malbbal.s3.ap-northeast-2.amazonaws[.]com/UUTICMm - URL- KrustyLoader - high confidence

beansdeals-static.s3.amazonaws[.]com/UsjKy - URL- high confidence

brandnav-cms-storage.s3.amazonaws[.]com/3S1kc - URL- KrustyLoader - high confidence

bringthenoiseappnew.s3.amazonaws[.]com/pp79zE - URL- KrustyLoader - high confidence

f662135bdd8bf792a941ea222e8a1330 - MD5 file hash- KrustyLoader - high confidence

fa645f33c0e3a98436a0161b19342f78683dbd9d - SHA-1 file hash- KrustyLoader - high confidence

1d26fff4232bc64f9ab3c2b09281d932dd6afb84a24f32d772d3f7bc23d99c60 - SHA-256 file hash- KrustyLoader - high confidence

6900e844f887321f22dd606a6f2925ef - MD5 file hash- KrustyLoader - high confidence

da23dab4851df3ef7f6e5952a2fc9a6a57ab6983 - SHA-1 file hash- KrustyLoader - high confidence

1544d9392eedf7ae4205dd45ad54ec67e5ce831d2c61875806ce4c86412a4344 - SHA-256 file hash- KrustyLoader - high confidence

83a797e5b47ce6e89440c47f6e33fa08 - MD5 file hash - high confidence

a29e8f030db8990c432020441c91e4b74d4a4e16 - SHA-1 file hash - high confidence

72afde58a1bed7697c0aa7fa8b4e3b03 - MD5 file hash- high confidence

fe931adc0531fd1cb600af0c01f307da3314c5c9 - SHA-1 file hash- high confidence

b8e56de3792dbd0f4239b54cfaad7ece3bd42affa4fbbdd7668492de548b5df8 - SHA-256 file hash- KrustyLoader - high confidence

17d65a9d8d40375b5b939b60f21eb06eb17054fc - SHA-1 file hash- KrustyLoader - high confidence

8c8681e805e0ae7a7d1a609efc000c84 - MD5 file hash- KrustyLoader - high confidence

29274ca90e6dcf5ae4762739fcbadf01 - MD5 file hash- KrustyLoader - high confidence

Darktrace Model Detections

Anomalous Connection / CertUtil Requesting Non Certificate

Anomalous Connection / CertUtil to Rare Destination

Anomalous Connection / Powershell to Rare External

Anomalous File / EXE from Rare External Location

Anomalous File / Multiple EXE from Rare External Locations

Anomalous File / Internet Facing System File Download

Anomalous File / Masqueraded File Transfer (Enhanced Monitoring)

Anomalous Server Activity / New User Agent from Internet Facing System

Compliance / CertUtil External Connection

Compromise / High Priority Tunnelling to Bin Services (Enhanced Monitoring)

Compromise / Possible Tunnelling to Bin Services

Device / Initial Attack Chain Activity (Enhanced Monitoring)

Device / Suspicious Domain

Device / Internet Facing Device with High Priority Alert

Device / Large Number of Model Alerts

Device / Large Number of Model Alerts from Critical Network Device (Enhanced Monitoring)

Device / New PowerShell User Agent

Device / New User Agent

Autonomous Response Model Alerts

Antigena / Network / External Threat / Antigena Suspicious File Block

Antigena / Network / Significant Anomaly / Antigena Controlled and Model Alert

Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Server Block

Antigena / Network / Significant Anomaly / Antigena Significant Server Anomaly Block

Antigena/ Network / External Threat / Antigena Suspicious File Block

Antigena/ Network / External Threat / Antigena Suspicious File Pattern of Life Block

Antigena/ Network / Significant Anomaly / Antigena Alerts Over Time Block

Antigena/ Network / Significant Anomaly / Antigena Controlled and Model Alert

Antigena/ Network / Significant Anomaly / Antigena Enhanced Monitoring from Server Block

Antigena/ Network / Significant Anomaly / Antigena Significant Server Anomaly Block

Cyber AI Analyst Incidents

Possible HTTP Command and Control

Suspicious File Download

MITRE ATT&CK Mapping

Malware - RESOURCE DEVELOPMENT - T1588.001

PowerShell - EXECUTION - T1059.001

Drive-by Compromise - INITIAL ACCESS - T1189

Ingress Tool Transfer - COMMAND AND CONTROL - T1105

Application Layer Protocol - COMMAND AND CONTROL - T1071

Exploitation of Remote Services - LATERAL MOVEMENT - T1210

Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - EXFILTRATION - T1048.003

References

1. https://nvd.nist.gov/vuln/detail/CVE-2025-31324

2. https://www.bleepingcomputer.com/news/security/over-1-200-sap-netweaver-servers-vulnerable-to-actively-exploited-flaw/

3. https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/

4. https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/

5. https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/

6. https://op-c.net/blog/sap-cve-2025-31324-qilin-breach/

7. https://www.forescout.com/blog/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor/

8. https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures

9. https://portswigger.net/burp/application-security-testing/oast

10. https://www.picussecurity.com/resource/blog/unc5221-cve-2025-22457-ivanti-connect-secure  

11. https://malpedia.caad.fkie.fraunhofer.de/details/elf.krustyloader

12. https://www.broadcom.com/support/security-center/protection-bulletin/krustyloader-backdoor

13. https://labs.withsecure.com/publications/new-krustyloader-variant-dropped-via-screenconnect-exploit

14. https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability

15. https://thehackernews.com/2024/01/chinese-hackers-exploiting-critical-vpn.html

16. https://www.virustotal.com/gui/file/3268f269371a81dbdce8c4eedffd8817c1ec2eadec9ba4ab043cb779c2f8a5d2

17. https://bazaar.abuse.ch/sample/3268f269371a81dbdce8c4eedffd8817c1ec2eadec9ba4ab043cb779c2f8a5d2/

18. https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/report-juicypotato-hacking-tool-discovered.pdf

19. https://www.manageengine.com/log-management/correlation-rules/detecting-sweetpotato.html

20. https://unit42.paloaltonetworks.com/rare-possible-gelsemium-attack-targets-se-asia/

21. https://assets.kpmg.com/content/dam/kpmg/in/pdf/2023/10/kpmg-ctip-gelsemium-apt-31-oct-2023.pdf

22. https://securityaffairs.com/177522/hacking/experts-warn-of-a-second-wave-of-attacks-targeting-sap-netweaver-bug-cve-2025-31324.html

23. https://www.virustotal.com/gui/file/b8e56de3792dbd0f4239b54cfaad7ece3bd42affa4fbbdd7668492de548b5df8

24. https://www.virustotal.com/gui/file/1d26fff4232bc64f9ab3c2b09281d932dd6afb84a24f32d772d3f7bc23d99c60/detection

25. https://www.virustotal.com/gui/file/1544d9392eedf7ae4205dd45ad54ec67e5ce831d2c61875806ce4c86412a4344/detection

Continue reading
About the author
Signe Zaharka
Senior Cyber Security Analyst

Blog

/

/

June 12, 2025

Modernising UK Cyber Regulation: Implications of the Cyber Security and Resilience Bill

Two individuals sitting at a desk working on a documentDefault blog imageDefault blog image

The need for security and continued cyber resilience

The UK government has made national security a key priority, and the new Cyber Security and Resilience Bill (CSRB) is a direct reflection of that focus. In introducing the Bill, Secretary of State for Science, Innovation and Technology, Peter Kyle, recognised that the UK is “desperately exposed” to cyber threats—from criminal groups to hostile nation-states that are increasingly targeting the UK's digital systems and critical infrastructure[1].

Context and timeline for the new legislation

First announced during the King’s Speech of July 2024, and elaborated in a Department for Science, Innovation and Technology (DSIT) policy statement published in April 2025, the CSRB is expected to be introduced in Parliament during the 2025-26 legislative session.

For now, organisations in the UK remain subject to the 2018 Network and Information Systems (NIS) Regulations – an EU-derived law which was drafted before today’s increasing digitisation of critical services, rise in cloud adoption and emergence of AI-powered threats.

Why modernisation is critical

Without modernisation, the Government believes UK’s infrastructure and economy risks falling behind international peers. The EU, which revised its cybersecurity regulation under the NIS2 Directive, already imposes stricter requirements on a broader set of sectors.

The urgency of the Bill is also underscored by recent high-impact incidents, including the Synnovis attack which targeted the National Health Service (NHS) suppliers and disrupted thousands of patient appointments and procedures[2]. The Government has argued that such events highlight a systemic failure to keep pace with a rapidly evolving threat landscape[3].

What the Bill aims to achieve

This Bill represents a decisive shift. According to the Government, it will modernise and future‑proof the UK’s cyber laws, extending oversight to areas where risk has grown but regulation has not kept pace[4]. While the legislation builds on previous consultations and draws lessons from international frameworks like the EU’s NIS2 directive, it also aims to tailor solutions to the UK’s unique threat environment.

Importantly, the Government is framing cybersecurity not as a barrier to growth, but as a foundation for it. The policy statement emphasises that strong digital resilience will create the stability businesses need to thrive, innovate, and invest[5]. Therefore, the goals of the Bill will not only be to enhance security but also act as an enabler to innovation and economic growth.

Recognition that AI changes cyber threats

The CSRB policy statement recognises that AI is fundamentally reshaping the threat landscape, with adversaries now leveraging AI and commercial cyber tools to exploit vulnerabilities in critical infrastructure and supply chains. Indeed, the NCSC has recently assessed that AI will almost certainly lead to “an increase in the frequency and intensity of cyber threats”[6]. Accordingly, the policy statement insists that the UK’s regulatory framework “must keep pace and provide flexibility to respond to future threats as and when they emerge”[7].

To address the threat, the Bill signals new obligations for MSPs and data centres, timely incident reporting and dynamic guidance that can be refreshed without fresh primary legislation, making it essential for firms to follow best practices.

What might change in day-to-day practice?

New organisations in scope of regulation

Under the existing Network and Information Systems (NIS) Regulations[8], the UK already supervises operators in five critical sectors—energy, transport, drinking water, health (Operators of Essential Services, OES) and digital infrastructure (Relevant Digital Service Providers, RDSPs).

The Cyber Security and Resilience Bill retains this foundation and adds Managed Service Providers (MSPs) and data centres to the scope of regulation to “better recognise the increasing reliance on digital services and the vulnerabilities posed by supply chains”[9]. It also grants the Secretary of State for Science, Innovation and Technology the power to add new sectors or sub‑sectors via secondary legislation, following consultation with Parliament and industry.

Managed service providers (MSPs)

MSPs occupy a central position within the UK’s enterprise information‑technology infrastructure. Because they remotely run or monitor clients’ systems, networks and data, they hold privileged, often continuous access to multiple environments. This foothold makes them an attractive target for malicious actors.

The Bill aims to bring MSPs in scope of regulation by making them subject to the same duties as those placed on firms that provide digital services under the 2018 NIS Regulations. By doing so, the Bill seeks to raise baseline security across thousands of customer environments and to provide regulators with better visibility of supply‑chain risk.

The proposed definition for MSPs is a service which:

  1. Is provided to another organisation
  2. Relies on the use of network and information systems to deliver the service
  3. Relates to ongoing management support, active administration and/or monitoring of AI systems, IT infrastructure, applications, and/or IT networks, including for the purpose of activities relating to cyber security.
  4. Involves a network connection and/or access to the customer’s network and information systems.

Data centres

Building on the September 2024 designation of data centres as critical national infrastructure, the CSRB will fold data infrastructure into the NIS-style regime by naming it an “relevant sector" and data centres as “essential service”[10].

About 182 colocation facilities run by 64 operators will therefore come under statutory duties to notify the regulator, maintain proportionate CAF-aligned controls and report significant incidents, regardless of who owns them or what workloads they host.

New requirements for regulated organisations

Incident reporting processes

There could be stricter timelines or broader definitions of what counts as a reportable incident. This might nudge organisations to formalise detection, triage, and escalation procedures.

The Government is proposing to introduce a new two-stage incident reporting process. This would include an initial notification which would be submitted within 24 hours of becoming aware of a significant incident, followed by a full incident report which should be submitted within 72 hours of the same.

Supply chain assurance requirements

Supply chains for the UK's most critical services are becoming increasingly complex and present new and serious vulnerabilities for cyber-attacks. The recent Synnovis ransomware attacks on the NHS[11] exemplify the danger posed by attacks against the supply chains of important services and organisations. This is concerning when reflecting on the latest Cyber Security Breaches survey conducted by DSIT, which highlights that fewer than 25% of large businesses review their supply chain risks[12].

Despite these risks, the UK’s legacy cybersecurity regulatory regime does not explicitly cover supply chain risk management. The UK instead relies on supporting and non-statutory guidance to close this gap, such as the NCSC’s Cyber Assessment Framework (CAF)[13].

The CSRB policy statement acts on this regulatory shortcoming and recognises that “a single supplier’s disruption can have far-reaching impacts on the delivery of essential or digital services”[14].

To address this, the Bill would make in-scope organisations (OES and RDPS) directly accountable for the cybersecurity of their supply chains. Secondary legislation would spell out these duties in detail, ensuring that OES and RDSPs systematically assess and mitigate third-party cyber risks.

Updated and strengthened security requirements

By placing the CAF into a firmer footing and backing it with a statutory Code of Practice, the Government is setting clearer expectations about government expectations on technical standards and methods organisations will need to follow to prove their resilience.

How Darktrace can help support affected organizations

Demonstrate resilience

Darktrace’s Self-Learning AITM continuously monitors your digital estate across cloud, network, OT, email, and endpoint to detect, investigate, and autonomously respond to emerging threats in real time. This persistent visibility and defense posture helps organizations demonstrate cyber resilience to regulators with confidence.

Streamline incident reporting and compliance

Darktrace surfaces clear alerts and automated investigation reports, complete with timeline views and root cause analysis. These insights reduce the time and complexity of regulatory incident reporting and support internal compliance workflows with auditable, AI-generated evidence.

Improve supply chain visibility

With full visibility across connected systems and third-party activity, Darktrace detects early indicators of lateral movement, account compromise, and unusual behavior stemming from vendor or partner access, reducing the risk of supply chain-originated cyber-attacks.

Ensure MSPs can meet new standards

For managed service providers, Darktrace offers native multi-tenant support and autonomous threat response that can be embedded directly into customer environments. This ensures consistent, scalable security standards across clients—helping MSPs address increasing regulatory obligations.

[related-resource]

References

[1] https://www.theguardian.com/uk-news/article/2024/jul/29/uk-desperately-exposed-to-cyber-threats-and-pandemics-says-minister

[2] https://www.england.nhs.uk/2024/06/synnovis-cyber-attack-statement-from-nhs-england/

[3] https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement/cyber-security-and-resilience-bill-policy-statement

[4] https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement/cyber-security-and-resilience-bill-policy-statement

[5] https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement/cyber-security-and-resilience-bill-policy-statement

[6] https://www.ncsc.gov.uk/report/impact-ai-cyber-threat-now-2027

[7] https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement/cyber-security-and-resilience-bill-policy-statement

[8] https://www.gov.uk/government/collections/nis-directive-and-nis-regulations-2018

[9] https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement/cyber-security-and-resilience-bill-policy-statement

[10] https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement/cyber-security-and-resilience-bill-policy-statement

[11] https://www.england.nhs.uk/2024/06/synnovis-cyber-attack-statement-from-nhs-england/

[12] https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2025/cyber-security-breaches-survey-2025

[13] https://www.ncsc.gov.uk/collection/cyber-assessment-framework

[14] https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement/cyber-security-and-resilience-bill-policy-statement

Continue reading
About the author
The Darktrace Community
Your data. Our AI.
Elevate your network security with Darktrace AI