Published Date: 2017-06-27
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident happened in late June 2017 [60362, 60386, 60159, 60926, 60386, 60372, 60405, 60323, 60369, 61136, 60173, 61353, 61455]. |
| System | 1. MeDoc accounting software [60362] 2. Windows-operated machines with unpatched security [60362] |
| Responsible Organization | 1. Hackers compromised the Ukrainian tax-filing software, MEDoc, to spread the malware, leading to the software failure incident [60362]. 2. The malware attack, known as NotPetya, was engineered to cause damage to IT systems rather than extort funds, indicating deliberate malicious intent [60362]. |
| Impacted Organization | 1. Companies around the world, including banks in Ukraine, Russian oil giant Rosneft, British advertising company WPP, and US law firm DLA Piper [60159]. 2. Maersk, the largest shipping container line [60926]. 3. Ukrainian government ministries, Heritage Valley Health System, and other companies in Ukraine [60386]. 4. Boris Clinic, Kiev's largest medical clinic [61455]. 5. Ukrenergo, a state-owned energy giant in Ukraine [61455]. 6. At least 2,000 individuals and organizations worldwide [60362]. |
| Software Causes | 1. The failure incident was caused by a ransomware attack that spread through a hacked Ukrainian accountancy software developer to companies in Russia, western Europe, and the US. The malware, known as NotPetya, demanded payment to restore the user's files and settings [60362]. 2. The ransomware used advanced intrusion techniques to penetrate networks, including using the NSA hacking tool EternalBlue to enter Windows-operated machines with unpatched security. It also stole passwords to gain administrator access over the entire network and spread itself as a forced update to all machines on the network before encrypting their hard drives [60362]. 3. The ransomware was designed to spread fast and cause damage rather than to extort funds, as indicated by its rudimentary payment infrastructure and deliberate, malicious, destructive nature [60362]. 4. The malware infected users by requiring them to send $300 in the cryptocurrency bitcoin to a payment address that was hardcoded into the software. However, the email account for confirmation was quickly closed by the German email provider Posteo, rendering decryption impossible even if victims paid the ransom [60362]. |
| Non-software Causes | 1. The cyber-attack spread through corrupted updates on a piece of Ukrainian tax-filing software, MEDoc, which was used by 80% of Ukrainian companies for tax filing [60159]. 2. The cyber-attack was initiated through a hacked Ukrainian accountancy software developer, which spread the malware to companies in Russia, western Europe, and the US [60362]. 3. The malware used advanced intrusion techniques to penetrate networks, steal passwords, and gain administrator access over the entire network, causing widespread damage [60362]. 4. The malware demanded a payment of $300 in bitcoin to restore user files and settings, but the payment infrastructure was rudimentary and poorly designed, leading to victims being unable to decrypt their computers even if they paid [60362]. 5. The malware used NSA hacking tool EternalBlue to enter Windows-operated machines with unpatched security vulnerabilities, exploiting weaknesses in the software to spread rapidly [60362]. 6. The malware did not contain code to leave a network once it had spread, causing it to remain within infected networks and continue encrypting hard drives [60362]. 7. The attack was suspected to be deliberately engineered to cause damage rather than extort funds, with the goal of spreading fast and causing destruction under the cover of ransomware [60362]. |
| Impacts | 1. The ransomware attack caused disruption around the world, infecting companies in 64 countries, including banks in Ukraine, Russian oil giant Rosneft, British advertising company WPP, and US law firm DLA Piper [60159]. 2. The attack led to the disruption of manufacturing and ordering systems at Reckitt Benckiser, resulting in a loss of revenue and a downgrade in revenue growth estimates for the year [61136]. 3. The attack paralyzed thousands of networks around the world, shutting down banks, companies, transportation, and electric utilities, impacting businesses in Ukraine and beyond [61455]. 4. The attack affected at least 2,000 individuals and organizations worldwide, with the malware engineered to damage IT systems rather than extort funds, causing significant damage and disruption [60362]. 5. The attack led to delays and disruptions in various sectors, such as healthcare, finance, shipping, and energy, with some companies resorting to manual processes and facing challenges in restoring computer systems [60372]. 6. The attack caused the Cadbury's chocolate factory in Hobart to stop production, impacting around 500 employees and disrupting operations due to computer systems going down [60372]. 7. The attack affected the Ukrainian software firm MeDoc, compromising its network and spreading malware to companies in Russia, western Europe, and the US, leading to significant damage and disruption [61276]. |
| Preventions | 1. Implementing proper software update procedures and security measures: Ensuring that software updates are thoroughly vetted, signed with cryptographic keys, and distributed securely could have prevented the malware from being introduced through compromised updates [61276, 60362]. 2. Enhanced network segmentation and access control: Implementing stricter network segmentation and access control measures could have limited the spread of the malware within networks, reducing the overall impact of the attack [61276]. 3. Improved detection and response capabilities: Having robust intrusion detection systems and response protocols in place could have helped in identifying and containing the malware before it caused widespread damage [60362]. 4. Regular cybersecurity training and awareness: Educating employees about cybersecurity best practices, such as avoiding suspicious emails and links, could have reduced the likelihood of the initial infection through phishing attempts [60362]. |
| Fixes | 1. Implementing codesigning for software updates to prevent malicious code from being inserted into the updates [61276]. 2. Segmenting and compartmentalizing networks, restricting privileges of whitelisted software, and keeping backups to mitigate the impact of ransomware outbreaks [61276]. 3. Strengthening cybersecurity measures, such as regularly updating software, using automatic software updates, and ensuring network security to prevent future attacks [60362]. 4. Enhancing international cooperation and information sharing to track down and prevent cyber-attacks [61455]. 5. Conducting thorough investigations to identify the source of the attack and take appropriate legal actions against the perpetrators [60362]. | References | 1. [60159, 60926, 60386] Statements from cybersecurity experts, including Marcus Hutchins, Alan Woodward, and Mikko Hypponen. 2. [60159, 60926, 60386] Information from security researchers at ESET, Cisco Talos, and Kaspersky Lab. 3. [60159, 60926, 60386] Insights from Ukrainian officials, including the Ukrainian Presidential Administration and the Ukrainian Ministry of Internal Affairs. 4. [60159, 60926, 60386] Details from affected organizations, such as Maersk, Rosneft, and the Boris Clinic in Kiev. 5. [60159, 60926, 60386] Analysis from cybersecurity experts, including Nicholas Weaver, Matthew Green, and Mark McArdle. 6. [60159, 60926, 60386] Statements from government officials, including Kremlin spokesman Dmitry Peskov. |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) The software failure incident having happened again at one_organization: - The software failure incident involving the NotPetya malware attack is similar to the WannaCry ransomware attack that occurred last month. Both incidents involved malware spreading rapidly and causing significant disruptions to IT systems [Article 60362]. - The NotPetya malware attack was designed to cause damage to IT systems rather than extort funds, indicating a deliberate and malicious intent behind the attack. This contrasts with the rudimentary payment infrastructure used in the attack [Article 60362]. (b) The software failure incident having happened again at multiple_organization: - The NotPetya malware attack affected multiple organizations worldwide, including companies in Russia, western Europe, and the US. The attack spread through a hacked Ukrainian accountancy software developer to impact various organizations [Article 60362]. - Security researchers have identified other instances where malware has been delivered via software updates to carry out sophisticated infections. These attacks have targeted financial institutions and ATM software, indicating a trend of using software updates as a means to spread malware [Article 61276]. |
| Phase (Design/Operation) | design, operation | (a) In the software failure incident related to the NotPetya malware attack, the incident was deliberately engineered to damage IT systems rather than extort funds. The malware's advanced intrusion techniques were well-written, using different methods to ensure maximum damage to the networks it penetrated. The payment infrastructure of the malware was rudimentary, indicating that the attack was not designed to make money but to spread fast and cause damage, with the cover of being ransomware [60362]. (b) The failure due to operation factors in the NotPetya malware attack was evident in the way the malware spread through hacked Ukrainian accountancy software to companies in Russia, western Europe, and the US. The malware required infected users to send payment in bitcoin to restore their files and settings, but the email account for payment confirmation was quickly closed by the email provider, rendering decryption impossible even if victims paid. The malware used various infection techniques, including stealing passwords to gain administrator access over the entire network and spreading itself as a forced update to all machines on the network before encrypting their hard drives [60362]. |
| Boundary (Internal/External) | within_system, outside_system | (a) within_system: The software failure incident was caused by the deliberate engineering of the NotPetya malware to damage IT systems rather than extort funds. The malware used advanced intrusion techniques to spread through networks, encrypting hard drives and demanding a ransom for decryption. The malware's infection techniques were well-written, using various methods to ensure maximum damage to the networks it penetrated [60362]. (b) outside_system: The NotPetya malware used the NSA hacking tool EternalBlue to enter Windows-operated machines with unpatched security, indicating a vulnerability originating from outside the system. The malware also stole passwords to gain administrator access over the entire network, suggesting an external factor contributing to the attack [60362]. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident occurring due to non-human actions: - The NotPetya malware attack was engineered to damage IT systems rather than extort funds, with advanced intrusion techniques causing widespread damage to networks [Article 60362]. - The malware used advanced infection techniques, such as using the NSA hacking tool EternalBlue to enter Windows-operated machines with unpatched security, and spreading itself as a forced update to all machines on the network [Article 60362]. - The malware did not contain code to leave a network once it had spread, unlike the WannaCry ransomware, indicating a focus on causing damage rather than financial gain [Article 60362]. (b) The software failure incident occurring due to human actions: - The cyber-attack that affected companies worldwide may have started via corrupted updates on a piece of Ukrainian tax-filing software, MEDoc, which was used to introduce the NotPetya malware [Article 60159]. - Security researchers found evidence that the hackers compromised the MeDoc software developer's network and used it to spread the ransomware to companies in various countries [Article 61276]. - The attack was described as a deliberate, malicious, and destructive act disguised as ransomware, indicating a planned and targeted human action to cause damage [Article 61276]. |
| Dimension (Hardware/Software) | software | (a) The software failure incident occurring due to hardware: - The software failure incident reported in the articles was primarily caused by a cyber-attack that targeted software systems rather than hardware components. The attack, known as NotPetya, spread through a hacked Ukrainian accountancy software developer to companies in various countries, disrupting their IT systems [Article 60362]. - The malware used in the attack, NotPetya, exploited vulnerabilities in software systems, particularly Windows-operated machines with unpatched security, to gain access and spread through networks. It did not target hardware components directly but focused on encrypting data and disrupting software operations [Article 60362]. (b) The software failure incident occurring due to software: - The software failure incident reported in the articles was primarily caused by a cyber-attack that exploited software vulnerabilities. The attack involved the use of ransomware known as NotPetya, which targeted software systems and encrypted data on infected machines [Article 60362]. - The malware used in the attack, NotPetya, was designed to damage IT systems by spreading rapidly through software networks and encrypting data. It was engineered to cause destruction rather than extort funds, indicating a deliberate attack on software systems [Article 60362]. |
| Objective (Malicious/Non-malicious) | malicious, non-malicious | (a) malicious: - The ransomware attack that affected at least 2,000 individuals and organizations worldwide was deliberately engineered to damage IT systems rather than extort funds, indicating a malicious intent to cause harm ([60362]). - The malware, known as NotPetya, was designed to spread fast and cause damage, with a cover of ransomware, according to security researchers ([60362]). - The attack used advanced intrusion techniques to spread through networks and cause damage, contrasting with its rudimentary payment infrastructure, suggesting a deliberate, destructive attack ([60362]). (b) non-malicious: - The attack may have started via corrupted updates on a piece of Ukrainian tax-filing software, MEDoc, indicating a non-malicious introduction of contributing factors without intent to harm the system ([60159]). - The software failure incident involving the ransomware attack was not solely focused on extorting funds but rather on spreading fast and causing damage, potentially indicating a non-malicious intent ([60362]). |
| Intent (Poor/Accidental Decisions) | unknown | (a) The intent of the software failure incident was deliberate and malicious, engineered to damage IT systems rather than extort funds. The malware, known as NotPetya, was designed to spread fast and cause damage, with a payment infrastructure that was rudimentary and not intended to make money [60362]. The attack was sophisticated in its intrusion techniques, using various methods to ensure maximum damage to the networks it penetrated [60362]. The malware required infected users to send payment in bitcoin to a hardcoded address, but the email account for confirmation was quickly closed by the email provider, making it impossible for victims to decrypt their computers even if they paid [60362]. (b) The software failure incident was not due to accidental decisions or mistakes but was a deliberate and malicious attack. The malware, NotPetya, was engineered to spread fast and cause damage, disguised as ransomware [60362]. The attack used advanced intrusion techniques and was well-written, utilizing different methods to penetrate networks and encrypt hard drives [60362]. The malware did not contain code to leave a network once it spread, indicating a deliberate intent to cause harm [60362]. |
| Capability (Incompetence/Accidental) | development_incompetence | (a) The software failure incident occurring due to development incompetence: From Article 60362, the NotPetya malware attack was described as being deliberately engineered to damage IT systems rather than extort funds. Security researchers noted that the malware's advanced intrusion techniques were in contrast with its rudimentary payment infrastructure, suggesting that it was not designed to make money but to spread fast and cause damage. The attack was described as a deliberate, malicious, destructive attack disguised as ransomware, indicating a lack of professional competence in the development of the malware [60362]. (b) The software failure incident occurring accidentally: From Article 61276, it was highlighted that the malware outbreak that paralyzed thousands of networks around the world was due to software updates being hijacked to deliver malware. The incident was described as a case where innocent software updates could be used to silently spread malware, indicating an accidental introduction of malware through software updates. The article emphasized that software updates themselves were the carrier of the malware, suggesting an accidental introduction of the malicious software [61276]. |
| Duration | permanent, temporary | (a) The software failure incident was considered permanent due to the contributing factors introduced by all circumstances. The incident caused a permanent loss of revenue for the affected companies, such as Reckitt Benckiser, as a result of the cyber-attack [Article 61136]. Additionally, the malware attack that affected various organizations worldwide was engineered to damage IT systems rather than extort funds, indicating a deliberate and malicious attack rather than a typical ransomware incident [Article 60362]. (b) The software failure incident was also considered temporary due to contributing factors introduced by certain circumstances but not all. For example, the cyber-attack that disrupted various companies around the world, including Maersk, was a deliberate and destructive attack disguised as ransomware, indicating a temporary disruption caused by specific circumstances [Article 61276]. Additionally, the attack on the Ukrainian software firm MeDoc, which spread the malware, was a result of hackers compromising the software's update mechanism, leading to a temporary disruption of affected networks [Article 60362]. |
| Behaviour | crash, omission, value, other | (a) crash: The software failure incident caused a crash in the affected systems, leading to disruption in various companies and organizations. For example, the Boris Clinic in Kiev experienced a system crash, resulting in the shutdown of computers and machines except for those powered by General Electric (Article 61455). (b) omission: The software failure incident led to the omission of performing intended functions in various systems. For instance, the Boris Clinic in Kiev had to resort to paper and pen for record-keeping when their IT system went down, resulting in the loss of medical documentation for 24 hours (Article 61455). (c) timing: The software failure incident did not specifically mention failures related to timing issues. (d) value: The software failure incident resulted in the system performing its intended functions incorrectly. For example, the malware known as NotPetya was engineered to cause damage to IT systems rather than extort funds, indicating incorrect behavior (Article 60362). (e) byzantine: The software failure incident did not specifically mention failures related to byzantine behavior. (f) other: The software failure incident involved deliberate engineering to damage IT systems rather than extort funds, indicating a different behavior from the typical ransomware attacks (Article 60362). |
| Layer | Option | Rationale |
|---|---|---|
| Perception | None | None |
| Communication | None | None |
| Application | None | None |
| Category | Option | Rationale |
|---|---|---|
| Consequence | property, delay, non-human, theoretical_consequence | (a) death: There were no reports of people losing their lives due to the software failure incident. [60362] (b) harm: There were no reports of people being physically harmed due to the software failure incident. [60362] (c) basic: There were no reports of people's access to food or shelter being impacted because of the software failure incident. [60362] (d) property: The software failure incident impacted companies and organisations worldwide, disrupting their IT systems and causing financial losses. For example, the Boris Clinic in Kiev suffered damage totaling $60,000. [61276] (e) delay: The software failure incident caused delays and disruptions in various companies and organisations, such as the Boris Clinic in Kiev where the IT system went down, leading to delays in providing services. [61276] (f) non-human: Non-human entities, such as computer systems, networks, and software, were impacted by the software failure incident. For example, the malware disrupted networks, encrypted hard drives, and spread through infected machines. [60362, 61276] (g) no_consequence: There were observed consequences of the software failure incident, including disruptions in IT systems, financial losses, delays in services, and impact on non-human entities. [60362, 61276] (h) theoretical_consequence: There were potential consequences discussed, such as the malware being engineered to cause damage to IT systems rather than extort funds, and the possibility of future attacks using software updates to spread malware. [60362, 61276] (i) other: There were no other consequences described in the articles. |
| Domain | information, transportation, manufacturing, utilities, finance, knowledge, health, government | (a) The failed system was intended to support the information industry. The attack affected companies in various sectors, including banks, energy companies, telecom operators, retailers, government agencies, and more [60926]. (b) The failed system was intended to support the transportation industry. The Danish shipping firm Maersk was affected by the attack, disrupting its operations [60362]. (c) The failed system was not directly related to the natural resources industry. (d) The failed system was not directly related to the sales industry. (e) The failed system was not directly related to the construction industry. (f) The failed system was intended to support the manufacturing industry. The attack disrupted manufacturing and ordering systems at companies, impacting their operations [61136]. (g) The failed system was intended to support the utilities industry. The Ukrainian energy companies Kyivenergo and Ukrenergo were affected by the attack, disrupting their operations [60362]. (h) The failed system was intended to support the finance industry. The attack affected financial institutions, including banks, causing disruptions in their services [61276]. (i) The failed system was intended to support the knowledge industry. The attack impacted educational institutions and research organizations, causing disruptions in their operations [60369]. (j) The failed system was intended to support the health industry. The Boris Clinic, a medical clinic in Kiev, experienced disruptions in its IT systems due to the attack [61455]. (k) The failed system was not directly related to the entertainment industry. (l) The failed system was intended to support the government industry. The attack affected government agencies, disrupting their operations and services [60362]. (m) The failed system was not directly related to any other specific industry mentioned in the options. |
Article ID: 60159
Article ID: 60926
Article ID: 60386
Article ID: 60405
Article ID: 60372
Article ID: 60323
Article ID: 60369
Article ID: 61136
Article ID: 60173
Article ID: 61353
Article ID: 61455
Article ID: 61276
Article ID: 60362