| Recurring |
one_organization, multiple_organization |
(a) The software failure incident having happened again at one_organization:
The article mentions that after the WannaCry ransomware incident, a new malware named EternalRocks emerged, utilizing exploits leaked by the NSA. EternalRocks uses similar exploits as WannaCry, such as EternalBlue and DoublePulsar, and also remains hidden and quiet on infected computers [59339].
(b) The software failure incident having happened again at multiple_organization:
The article discusses how the NSA's leaked hacking tools have been used in various malware incidents, including WannaCry, Adylkuzz, and now EternalRocks. These incidents have affected a wide range of organizations globally, including hospitals, schools, and offices, showcasing the widespread impact of these exploits [59339]. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident related to the design phase can be attributed to the NSA's leaked hacking tools, which were originally developed and used for cyber espionage purposes. These tools, such as EternalBlue and DoublePulsar, were discovered by the Shadow Brokers group and subsequently leaked, leading to the creation of malware like WannaCry, Adylkuzz, and EternalRocks [59339].
(b) The software failure incident related to the operation phase is evident in the way EternalRocks operates once it infects a computer. Unlike WannaCry, which alerts victims of infection through ransomware, EternalRocks remains hidden and quiet on computers. It downloads Tor's private browser and communicates with hidden servers, delaying its malicious activities for 24 hours to evade detection. This stealthy operation poses challenges for security experts trying to detect and stop the malware [59339]. |
| Boundary (Internal/External) |
within_system |
(a) The software failure incident related to EternalRocks can be categorized as within_system. The malware utilizes multiple exploits leaked by the National Security Agency (NSA) and the Shadow Brokers group, such as EternalBlue, DoublePulsar, EternalChampion, EternalRomance, EternalSynergy, ArchiTouch, and SMBTouch [59339]. These exploits target vulnerabilities within the Microsoft Windows Server Message Block (SMB) technology used by PCs, allowing the malware to spread rapidly within systems that have not applied the necessary security patches [59339]. The malware's stealthy behavior, delayed activation, and ability to download additional components like Tor's private browser from hidden servers all indicate that the failure originates from within the system itself. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident in this case is primarily due to non-human actions, specifically the use of leaked hacking tools originally developed by the National Security Agency (NSA) and later exposed by the Shadow Brokers group. The malware, EternalRocks, utilizes seven exploits discovered by the NSA and leaked by the Shadow Brokers, such as EternalBlue and DoublePulsar, to spread and infect computers [59339].
(b) However, human actions also play a role in this software failure incident. The NSA has faced criticism for holding onto these exploits without informing the affected companies, which could have potentially prevented such widespread attacks. Additionally, the delay in communication by the malware itself, as mentioned by security experts, is a strategic move by bad actors to be more stealthy in their operations [59339]. |
| Dimension (Hardware/Software) |
software |
(a) The software failure incident related to hardware:
- The software failure incident involving EternalRocks, a new malware, is not directly attributed to hardware issues. The incident primarily revolves around the exploitation of software vulnerabilities in Microsoft Windows Server Message Block (SMB) technology [59339].
(b) The software failure incident related to software:
- The software failure incident involving EternalRocks is primarily due to contributing factors that originate in software. EternalRocks is a malware that exploits software vulnerabilities in Microsoft Windows Server Message Block (SMB) technology, specifically using leaked NSA hacking tools like EternalBlue, DoublePulsar, and others [59339]. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The software failure incident described in the articles is malicious in nature. The incident involves the creation and spread of malware named EternalRocks, which utilizes leaked hacking tools from the National Security Agency (NSA) to infect computers and potentially be weaponized for harmful purposes [59339]. The malware remains hidden and quiet on infected computers, downloads Tor's private browser, and communicates with hidden servers to self-replicate. It delays its malicious activities by remaining dormant for 24 hours before starting to spread and infect more computers. The malware's stealthy behavior, lack of a kill-switch, and potential for weaponization indicate a malicious intent to harm systems and potentially carry out ransomware or trojan attacks [59339]. |
| Intent (Poor/Accidental Decisions) |
poor_decisions |
(a) The intent of the software failure incident was poor_decisions. The failure was due to contributing factors introduced by poor decisions made by the NSA in holding onto exploits without warning the companies involved [59339]. |
| Capability (Incompetence/Accidental) |
development_incompetence, accidental |
(a) The software failure incident related to development incompetence is evident in the case of the EternalRocks malware. The malware utilized multiple exploits leaked by the National Security Agency (NSA) and the Shadow Brokers group, including EternalBlue, DoublePulsar, EternalChampion, EternalRomance, EternalSynergy, ArchiTouch, and SMBTouch [59339]. These exploits were originally developed by the NSA for intelligence purposes but were leaked and subsequently used by malicious actors to create malware like EternalRocks. The fact that these exploits were not securely held by the NSA and were ultimately weaponized into malware highlights a failure in professional competence in handling and securing such critical tools.
(b) The software failure incident related to accidental factors is demonstrated by the unintended consequences of the NSA's leaked hacking tools. The exploits developed by the NSA were meant for intelligence gathering but were accidentally leaked by the Shadow Brokers group, leading to the creation of malware like EternalRocks [59339]. This accidental exposure of powerful hacking tools resulted in widespread cyber threats and potential harm to computer systems worldwide, showcasing the unintended negative impact of the original development and subsequent leak of these tools. |
| Duration |
temporary |
(a) The software failure incident described in the article is more likely to be temporary rather than permanent. The EternalRocks malware, which uses leaked NSA hacking tools, remains dormant on infected computers for 24 hours before it starts downloading and self-replicating [59339]. This temporary nature of the malware's behavior indicates that the failure is not permanent but rather triggered by specific circumstances. |
| Behaviour |
byzantine, other |
(a) crash: The software failure incident described in the articles does not involve a crash where the system loses state and stops performing its intended functions. The malware, EternalRocks, remains hidden and quiet on infected computers, waiting for instructions to start downloading and self-replicating after 24 hours [59339].
(b) omission: The software failure incident does not involve omission where the system fails to perform its intended functions at an instance(s). Instead, the malware operates stealthily on infected computers without alerting the victims of infection [59339].
(c) timing: The software failure incident does not involve timing issues where the system performs its intended functions correctly but at the wrong time. EternalRocks waits for 24 hours before initiating its malicious activities, which is a deliberate delay tactic to evade detection [59339].
(d) value: The software failure incident does not involve the system performing its intended functions incorrectly. EternalRocks operates as intended by its creators, remaining hidden on infected computers and waiting for instructions to spread and replicate [59339].
(e) byzantine: The behavior of the software failure incident aligns more closely with a byzantine failure, where the system behaves erroneously with inconsistent responses and interactions. EternalRocks operates in a stealthy manner, downloads Tor's private browser, communicates with hidden servers, and can potentially be weaponized for various malicious purposes [59339].
(f) other: The software failure incident also exhibits characteristics of a sophisticated and strategic attack, where the malware creators intentionally delay the activation of the malicious activities to avoid detection and allow the worm to spread undetected for a period before becoming active [59339]. |