Skip to Content

Quantum Dawn : When Cyber Attack Wargames will teach you SAP Security

In 2012, American agencies under the lead of SIFMA where running the first cyber-attack stress test on financial institutions on Wall Street.

One year later, it was repeated in London, with a broader approach and more detailed preparation. This stress test and the results are stunning. Everyone who has to do with security should look at the scenario and should ask if their organization has an answer to the raised question:

How would we behave, how would we address all the issues that where surfaced during the organized cyber-attack?.

This is nothing that only affects Wall Street or London City’s financial district. This scenario can hit every company in the world.

Since I recently won a price in Germanys largest IT magazine, CT, in a storytelling contest, let’s recount the tale of a cyber-attack war game in a novel way.

And since I am German, (as SAP is), let’s assume the story does happen in SAP Homeland, in Germany and Carl B. Max, the CEO of AUTOBAHN AG, (“Fast is GOOD”) is still asleep in his home near his headquarter in Frankfurt am Main, Germany’s financial district.


The Sequence of events that lead to the dissapearance of the German Autobahn AG:

At 6:00 AM in the morning, Twitter, Facebook and  the German Autobahn-Forum “The Fast and the Faster”, are showing up first posts: How bad the German Autobahn is, full of potholes, governed by too much speed limits, too much traffic jams.

At 6:30, more serious posts and accusations are added: Pictures of deadly accidents because of potholes on the fastest parts of the autobahn. The idea of a class action lawsuit is mentioned.

At 8:00, the posts have piled up to a veritable shitstorm.

At 8:30, the Twitter and Facebook accounts, maintained by the PR-Department of Autobahn AG have been hacked and are posting strange and bogus replies to the accusations. The impression of ignoring and downplaying the accusations are immanent.

At 8:45, Carl B. Max, CEO of Autobahn AG, is arriving at the office.

At 9:00, rogue High Frequency Trader are starting an attack on the stock of AUTOBAHN AG. They are short trading the stocks within seconds to a level, where regular trading algorithms, due to the high trading volume and dropping values, are suddenly releasing stop loss orders. This is generating an automatic trading avalanche, resulting in a landslide on the course of the AAG stock.

At 9:30, Social Medias are full of speculation on bad financial deals that are threatening the future results of Autobahn AG. The PR-Account of the company speaker is hacked and false PR statements are send to the world wide press. Since nobody knows, who was adressed and what was published, counteractions became difficult.

At 10:00, Carl Max is calling for a press conference at the headquarter in the office Tower at the “Frankfurter Kreuz” near the Airport. He demands actual financial statements from his CFO that he can present as a testimonial to the press, that everything is good.

In the middle of his calls, the telephone became dead. A massive DDoS attack is driven on the VoIP based telephone center. A special VoIP virus, dedicated to this equipment eats its ways through the Ethernet based phone infrastructure. Only calls via mobile can be done. “Can’t be reached for comments” was the phrase for the hour.


At 10:15, the SAP system crashes. Restore of the backup is necessary. The IT is detecting, that all tapes from the last 4 weeks are damaged, due to an error in the backup procedure. The SAN stopped working with a damaged hardware.

At 10:30, the CFO finds out that all numbers in the SAP Business Warehouse systems are corrupt. It is unclear, if the backup does contain non-manipulated figures.

At 11:00, the rogue high frequency trading continues in London, after the London exchange opened. The landslide of the courses goes on

At 12:00, Carl Max can’t present any reliable numbers to the press. The attack is not mentioned.

The plea to the large stock exchanges for suspension of their stock trading is not granted, since AUTOBAHN AG can’t present any figures for proof and no one can’t be reach to comment on the incidence.

At 15:00, NYSE in Wall Street is opening. The rogue trading leads to a suspension of trade, when the company value was hitting one cent and the stock was rated as a penny stock.

At 17:00, when the German Stock Exchange in Frankfurt closed, Deutsche Autobahn AG is “pleite”, bankrupt.

Do you think this is not for real?

Fiction? You wish, but it is real life truth. Every single point of this cyber-attack already happened. Some of them are even common threads, like manipulation of social media or high frequency trades. Ever thought about how reliable a VoIP or how vulnerable a Microsoft Lynx Server is? And especially in a corporate Environment?

Some of them are recent developments, like the new “attack vector” of manipulating BI-cubes with the intent to lead the hacked co to false decisions.

And the backup? Guess how often I have seen this happen in 20 years? More than you would think, and it was always an internal problem of slobby backups, not even a hackers attack.

At the end, Quantum Dawn recommended at first and foremost, to establish a fast,, clear and direct communication on attacks. Don’t keep such attack secret. There must be internal and external (governmental, if this is a broad attack) communication ways that will react within minutes. These attacks are maybe criminal, but given the world wide state of politics, this attack can even be initiated by governments as part of a global warfare.

And you need an alerted IT who can countermeasure this thread in unison.

Really, think of your company you are in: Who would you call if you see an attack on a SAP system? And who can respond immediately?


More Materials:

Deloitte as audit company was part of the cyber trial, Here are their findings

And some great video for it also from Deloitte: Cyber Security. Evolved.

And also check my first blog in this series of security papers: THINK Security: Towards a new horizon

You must be Logged on to comment or reply to a post.
  • Hmmm... I don't mean to dampen the impact, but it took me a while to realize that in fact this is a simulation of what might happen. It did not actually happen, so it is fiction. There are also more than a few "blackboxes" between the network perimeter, firewalls and SAP BW applications where the reporting data was magically corrupted (in the real world fresh transactional data is extracted daily from the backend systems so hacking the BW data is a bit pointless normally) and that the backup hardware happened to have been broken is bad luck in my books. He could have taken his print out from a few days ago, or does he only work twice a year?

    In reality in the SAP enduser world, if anyone noticed any of this sort of behaviour at all, they would call the basis team regardless of any other procedures in place. That is why the we usually have the radio on loud and drink beer at lunch time to be able to dream up such scenarios in the afternoons while the upgrades run..  🙂

    but it should be clear that this did not actually happen and there is no verified public record of SAP systems having been part of such devastating targeted attacks. This should at least be clear for the reader.



    • Julius von dem Bussche wrote:

      but it should be clear that this did not actually happen and there is no verified public record of SAP systems having been part of such devastating targeted attacks. This should at least be clear for the reader.



      Hi Julius,

      thanks for the reply, it is a pleasure always. But as for your last remark, i have to object:

      In case of the BW hack, I once had a customer collecting competitive data worldwide into his BW.  Competitor find out about it and was feeding the automated data collection with staged data. In attack vector terms, this was an "Counter Insurgency" attack. The way from manipulating the feed to an BW inside attack with "Counter Insurgency intentions" is very short.

      In case of the Basis People having loud radio and beer: A friend of mine called me recently and was asking me about strange patterns in his ICM-logs. I told him, someone was running exploit scripts (lame ones, btw). I told him to immediately alert the Basis People. But no one showed interest. Two weeks later, they found out that some other network department was setting up internal exploit tests.

      But no one had any sense of urgency there.

      I don't know of many large customers who have a trained alert plan in this case.

      Yes, I was painting this picture with bright colours (as I mentioned, I won a prize for IT stories), but every single step is plain truth, backewd up with at least one case I have witnessed myself at large SAP sites.

      And as for the "chain of commands": This was the biggest finding at the SIFMA cases: You need an alert chain of commands and you need to make your breaches known at least to your peers in Business: There is too much money at stake for the whole economy.

      • Hi Holger,

        I have also done pen tests in which we also misused connections or vulnerabilities simply to see whether monitoring would pick it up. It is a fairly safe bet that you don't need to hotfoot it in and out of a SAP system again because the security control tower has picked up your movements. At least as long as you don't break anything. Even a few dumps won't cause much alarm normally.

        I agree that automating monitoring and alerts is the way to go, because 99 light years out of 100 absolutely nothing happens except typos when starting transaction codes names or entering passwords. So you cannot expect a normal mortal to sit there reading the various logs of a whole suite of SAP systems all day long - they will soon start listening to music and drinking beer as well... 😛