| Recurring |
multiple_organization |
(a) The software failure incident related to the Tyupkin malware affecting ATMs has not been specifically mentioned to have happened again at the same organization or with its products and services.
(b) The article mentions a similar malware incident known as Ploutus that was seen spreading in South America earlier in the year. This incident involved criminals being able to withdraw funds by simply texting the machine after installing another mobile within the ATM. This could be considered a similar incident happening at other organizations or with their products and services [31153]. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident related to the design phase can be seen in the article where criminals physically installed malware on cash machines by inserting a bootable CD with their malicious kit, which allowed them to withdraw funds by entering codes into the compromised ATMs [31153].
(b) The software failure incident related to the operation phase is evident in the article where criminals were able to withdraw funds from the infected ATMs by being physically present at specified times on Sunday or Monday nights to enter codes into the machines. This operation aspect of the criminal activity led to the successful withdrawal of cash [31153]. |
| Boundary (Internal/External) |
within_system, outside_system |
(a) within_system: The software failure incident described in the article is primarily within the system. The criminals physically installed malware on cash machines, such as the Tyupkin malware, which allowed them to manipulate the ATMs to withdraw funds illegally. The malware was inserted via a bootable CD, and the key required to access the malware was randomly created and only usable once, making it difficult for outsiders to use it. Additionally, the gang continued to improve the malware to avoid detection, showing a continuous effort to exploit weaknesses within the ATM systems [31153].
(b) outside_system: The software failure incident also involves factors originating from outside the system. The criminals behind the malware attacks had to physically access the ATMs to install the malicious software. They also had to plan specific times for the money mules to withdraw funds, indicating external coordination and organization. Furthermore, the gang's operations extended to different countries, affecting nations on other continents like the US and India, showing how external factors played a role in the widespread impact of the software failure incident [31153]. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident in this case was primarily due to non-human actions. Criminals physically installed malware on cash machines across the world, infecting more than 50 Windows-based ATMs with the Tyupkin malware. The malware allowed the gang's money mules to enter codes into the compromised ATMs to withdraw funds. The criminals inserted a bootable CD to upload their malicious kit, and the key required to access the malware was randomly created and only usable once, making it difficult for outsiders to use it [31153].
(b) However, human actions were also involved in this software failure incident. The criminals, through their organized operation, planned and executed the physical installation of the malware on the ATMs. They had to be present at the infected cash machines at specified times to carry out the withdrawals. Additionally, the gang continued to improve the Tyupkin malware over time, adding capabilities to disable security software like McAfee Solidcore to avoid detection [31153]. |
| Dimension (Hardware/Software) |
hardware, software |
(a) The software failure incident related to hardware:
- The article mentions that criminals physically installed malware on cash machines by inserting a bootable CD before uploading their malicious kit, indicating a hardware-related aspect of the attack [31153].
(b) The software failure incident related to software:
- The article highlights the use of malware such as Tyupkin and Ploutus to compromise ATMs, indicating a software-related failure due to the malicious software injected into the machines [31153]. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The software failure incident described in the article is malicious in nature. Criminals physically installed malware on cash machines across the world, allowing them to withdraw funds by entering codes into the compromised ATMs. The malware, known as Tyupkin, was specifically designed to enable the gang's money mules to access the cash machines and withdraw cash. Additionally, the gang continuously improved the malware to avoid detection, showing a deliberate intent to harm the system and profit from their illicit activities [31153].
(b) There is no information in the articles to suggest that the software failure incident was non-malicious. |
| Intent (Poor/Accidental Decisions) |
poor_decisions |
(a) The intent of the software failure incident related to poor decisions can be seen in the article. Criminals physically installed malware on cash machines across the world, infecting more than 50 Windows-based ATMs in Eastern Europe with the Tyupkin malware. The gang behind the operation had to plan and execute the scheme by physically inserting a bootable CD into the machines to upload their malicious kit. They also created a key that was randomly generated and only used once, making it difficult for outsiders to access the malware. Additionally, the gang continuously improved the malware to evade detection, including disabling security software like McAfee Solidcore. This organized and strategic approach by the criminals highlights poor decisions made to exploit security weaknesses in ATMs [31153].
(b) The software failure incident can also be attributed to accidental decisions or unintended consequences. Despite the physical nature of the illicit operations, criminals were able to withdraw millions of dollars from compromised ATMs. The article emphasizes that many ATMs run on operating systems with known security weaknesses and lack security solutions, indicating an unintended consequence of the lack of proper security measures in place. The criminals were able to exploit these vulnerabilities and make significant profits, prompting calls for banks to urgently address the security issues and invest in quality security solutions to prevent such incidents in the future [31153]. |
| Capability (Incompetence/Accidental) |
development_incompetence |
(a) The software failure incident related to development incompetence is evident in the article as criminals were able to physically install malware on cash machines across the world, allowing them to withdraw funds from infected ATMs. The malware, known as Tyupkin, required significant planning and expertise to infect the machines. The gang behind the operation continuously improved the malware to avoid detection, even disabling security software like McAfee Solidcore. This level of sophistication and organization in the attack indicates a high level of professional competence by the criminals involved [31153].
(b) The accidental aspect of the software failure incident is not explicitly mentioned in the article. |
| Duration |
temporary |
The software failure incident described in the article is more aligned with a temporary failure rather than a permanent one. This is evident from the fact that the criminals physically installed malware on ATMs, allowing them to withdraw funds by entering codes into the compromised machines. The malware was specifically designed to be activated by inserting a bootable CD and entering a randomly created key, making it difficult for outsiders to access. Additionally, the gang continued to improve the malware over time, indicating that the failure was not permanent but rather a result of specific circumstances introduced by the criminals [31153]. |
| Behaviour |
omission, other |
(a) crash: The software failure incident described in the article does not involve a crash where the system loses state and does not perform any of its intended functions [31153].
(b) omission: The incident involves a form of omission where the system omits to perform its intended functions at specific instances. Criminals physically installed malware on ATMs, allowing them to enter codes to withdraw funds at specified times on Sunday or Monday nights [31153].
(c) timing: The failure is related to timing as the criminals had to be at the infected cash machines at specified times on either Sunday or Monday nights to carry out the fraudulent activities [31153].
(d) value: The incident does not involve a failure due to the system performing its intended functions incorrectly [31153].
(e) byzantine: The software failure incident does not exhibit a byzantine behavior where the system behaves erroneously with inconsistent responses and interactions [31153].
(f) other: The other behavior observed in this incident is the deliberate and organized nature of the attack, where criminals took significant planning to physically install malware on ATMs, create a bootable CD, and use a randomly generated key to access the malware, making it almost impossible for outsiders to use it [31153]. |