A new wave of cyber attacks against British companies is a “critical national security threat”, an analyst has told Sky News.
It follows the exposure of a previously unknown vulnerability in software used by hundreds of companies.
But unlike the recent attacks against M&S, Co-op and Harrods, the latest incident was not ransomware but rather remote code execution.
This is where hackers take control of devices and networks over the internet to run potentially malicious programmes or steal data and information.
Politics latest: Reform MP won’t face charges
The event – revealed by analyst Arda Buyukkaya at cybersecurity firm EclecticIQ – used a previously unknown backdoor in a piece of software called SAP Netweaver, with a patch since released.
Cody Barrow is the chief executive of EclecticIQ and previously worked at the Pentagon, the NSA and US Cyber Command.
He told Sky News: “Governments should treat this as a critical national security threat”, adding that it is the kind of scenario that keeps people like him up at night.
Mr Barrow said the exploitation of networks is “extensive and ongoing”, with more than 500 SAP customers affected and more potentially at risk. He urged users to update their software to the latest version.
Gas giant Cadent, publishers News UK, Euro Garages (EG) Group, Johnson Matthey and Ardagh Metal have been named as victims, with US and Saudi Arabian entities also targeted.
NHS England has posted a warning about the exploit on their website, although it is not clear if they are impacted.
The National Cyber Security Centre (NCSC), the UK government’s authority on cyber threats and part of GCHQ, are monitoring the situation.
An NCSC spokesperson told Sky News: “We are monitoring for UK impact following reports of a critical vulnerability affecting SAP NetWeaver being actively exploited.
“The NCSC strongly encourages organisations to follow vendor best practice to mitigate the vulnerability and potential malicious activity.
“Vulnerabilities are a common aspect of cyber security, and all organisations must consider how to most effectively manage potential security issues.”
JP Perez-Etchegoyen, the chief technical officer of Onapsis – which specialises in the cybersecurity security of SAP – told Sky News that exploits of the backdoor were first observed at the start of this year, and began to increase in March.
Last week, Cabinet minister Pat McFadden warned companies that recent cyber attacks on M&S, Co-op and Harrods should be a “wake-up call” for businesses.
A spokesperson for Cadent declined to comment on the specific attack, but the company works with the NCSC on cyber security issues.
A spokesperson for News UK declined to comment.
EG Group, Johnson Matthey and Ardagh Metal have not responded to Sky News requests for comment.
Read more from Sky News:
China attempting to spy on UK online
Warning over China-backed botnet attack
Follow our channel and never miss an update.
According to the initial summary of the exploit, analysts linked the attacks to “Chinese cyber-espionage units”.
This was based on a variety of factors, including Chinese-named files identified as part of the hack, and the way the hackers operated.
The aim of the Chinese groups is to “operate strategically to compromise critical infrastructure, exfiltrate sensitive data, and maintain persistent access across high-value networks worldwide”, said the summary.
The targets in the UK were said to include critical gas distribution networks, and water and integrated waste management utilities.
👉Listen to Politics at Sam and Anne’s on your podcast app👈
A spokesperson for SAP said: “SAP is aware of and has been addressing vulnerabilities in SAP NETWEAVER Visual Composer. SAP issued a patch on 24 April, 2025.
“A second vulnerability has also been identified and a patch was released on 13 May, 2025.
“We ask all customers using SAP NETWEAVER to install these patches to protect themselves.”
The Chinese embassy in London has been approached for comment.
