| Recurring |
one_organization, multiple_organization |
(a) The software failure incident related to the CCleaner malware outbreak happened again at Avast. Avast confirmed that a total of 40 computers were successfully infected with a secondary malware installation at companies such as Samsung, Sony, Asus, Intel, VMWare, O2, Singtel, Gauselmann, Dyn, Chunghwa, and Fujitsu [63125].
(b) The CCleaner malware outbreak incident also affected multiple organizations. The hackers behind the attack targeted the networks of at least 18 tech firms, including Intel, Google, Microsoft, Akamai, Samsung, Sony, VMware, HTC, Linksys, D-Link, and Cisco itself. Eight of the 18 known target companies were breached by the hackers, and the total number of victim firms was likely at least in the order of hundreds [63125]. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident related to the design phase: The incident involving the CCleaner malware outbreak was a result of hackers hijacking the software during the development phase. The hackers loaded CCleaner with a backdoor that evaded the company's security checks, leading to the distribution of a corrupted version of the software to over 700,000 computers [63125].
(b) The software failure incident related to the operation phase: The failure in the operation phase was due to the compromised CCleaner software being used as a dragnet to target specific tech firms for espionage. The hackers successfully found compromised machines within the networks of 18 tech companies and used the backdoor to infect them with another piece of malware intended for industrial espionage [63125]. |
| Boundary (Internal/External) |
within_system, outside_system |
(a) The software failure incident related to the CCleaner malware outbreak was primarily within the system. The failure originated from within the CCleaner software itself, which was hijacked by hackers who loaded it with a backdoor that evaded the company's security checks [63125]. The compromised software was distributed by Avast, a Czech company, and ended up installed on more than 700,000 computers, leading to the infection of multiple companies' networks [63125]. The hackers behind the incident were focused on mass infections and targeted espionage, attempting to gain access to the networks of at least 18 tech firms, including well-known companies like Intel, Google, Microsoft, Samsung, and others [63125]. The incident involved the distribution of a corrupted version of a widely used security software, highlighting the vulnerability of software supply chains to internal threats.
(b) However, it's important to note that the software failure incident also had contributing factors that originated from outside the system. The hackers responsible for the CCleaner malware outbreak were identified as potentially part of a sophisticated hacking group known as Group 72, or Axiom, which was named a Chinese government operation in 2015 [63125]. This external attribution raises concerns about potential state-sponsored spying operations and the involvement of nation-state hackers in the software supply-chain attack. Additionally, the incident was compared to the NotPetya attack, where hackers hijacked the update mechanism of Ukrainian accounting software to deliver destructive software, causing massive damage to companies in Ukraine and beyond [63125]. These external factors highlight the broader implications of software failures that extend beyond individual systems and organizations. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident in Article 63125 was primarily due to non-human actions. The failure occurred as a result of hackers hijacking the CCleaner software and loading it with a backdoor that evaded the company's security checks. This backdoor led to the installation of a secondary malware payload on over 700,000 computers, including those of 18 tech firms, with the intention of targeted espionage and industrial espionage [63125].
(b) However, human actions also played a role in the software failure incident. The corrupted version of CCleaner was distributed by the Czech company Avast, and the hackers behind the attack were able to exploit vulnerabilities in the software supply chain to carry out their malicious activities. Additionally, the researchers recommended affected individuals to fully restore their machines from backup versions prior to the installation of the tainted security program, highlighting the importance of human intervention in mitigating the impact of the incident [63125]. |
| Dimension (Hardware/Software) |
software |
(a) The software failure incident related to hardware: The incident involving CCleaner was not directly caused by hardware failure but rather by a sophisticated attack where hackers hijacked the software and loaded it with a backdoor that evaded the company's security checks. The compromised software was distributed by Avast, a Czech company, and ended up installed on more than 700,000 computers, leading to a secondary malware installation on 40 computers at various tech firms [63125].
(b) The software failure incident related to software: The failure in this case originated in the software itself, specifically in the compromised version of CCleaner distributed by Avast. The software was hijacked by hackers who loaded it with a backdoor, allowing them to infect hundreds of thousands of computers and target specific tech firms for espionage purposes. This incident highlights the vulnerability of software supply chains to attacks and the need for robust security measures to prevent such compromises [63125]. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The software failure incident related to the CCleaner malware outbreak was malicious in nature. The incident involved hackers hijacking CCleaner, a security software distributed by Avast, and loading it with a backdoor that evaded security checks. The hackers aimed not only at mass infections but also targeted espionage to gain access to the networks of at least 18 tech firms, including major companies like Intel, Google, Microsoft, Samsung, Sony, and Cisco. The hackers attempted to filter their collection of compromised machines to find computers inside these companies' networks and infect them with another piece of malware intended for industrial espionage [63125]. Cisco and security firm Kaspersky pointed out that the malware element in the tainted version of CCleaner shares some code with a sophisticated hacking group known as Group 72, which was named a Chinese government operation in 2015, suggesting potential state-sponsored involvement in the attack [63125].
(b) The software failure incident was non-malicious in the sense that the compromised software, CCleaner, was distributed by a trusted company, Avast, and users installed it unknowingly expecting it to enhance security. However, the software was silently corrupted by the hackers, leading to deep infections in IT systems of various companies. Victims installed seemingly legitimate software from a trusted source, only to find out later that it had been tampered with, causing significant damage to their systems [63125]. |
| Intent (Poor/Accidental Decisions) |
poor_decisions |
The software failure incident involving the CCleaner malware outbreak was not due to accidental decisions but rather poor decisions. The incident was a result of hackers hijacking CCleaner and loading it with a backdoor that evaded the company's security checks, leading to mass infections and targeted espionage on at least 18 tech firms [63125]. The hackers behind the attack were focused on gaining access to valuable information from these companies, indicating a deliberate and calculated effort rather than accidental actions. |
| Capability (Incompetence/Accidental) |
development_incompetence |
(a) The software failure incident related to development incompetence is evident in the CCleaner malware outbreak. The hackers behind the incident were able to hijack CCleaner, a security software distributed by Avast, and load it with a backdoor that evaded the company's security checks. This backdoor ended up installed on more than 700,000 computers, including those of major tech firms like Intel, Google, Microsoft, and others [63125].
(b) The accidental aspect of the software failure incident is seen in how victims unknowingly installed seemingly legitimate software from a trusted company, only to find out later that it had been silently corrupted, deeply infecting their IT systems. This accidental installation of corrupted software led to significant damage and raised concerns about the potential involvement of nation-state hackers in the attack [63125]. |
| Duration |
permanent |
(a) The software failure incident related to the CCleaner malware outbreak was permanent in nature. The incident involved hackers hijacking the CCleaner software and loading it with a backdoor that evaded security checks, leading to the installation of a secondary malware payload on over 700,000 computers [63125]. The incident was not a one-time event but rather a prolonged campaign where the hackers modified their targets and tactics throughout the month-long distribution of the corrupted CCleaner version. Additionally, the incident was linked to a sophisticated hacking group known as Group 72, suggesting a potentially state-sponsored spying operation that cast a wide net and targeted specific tech-industry victims [63125]. The impact of the incident was significant, with at least 18 known target companies breached by the hackers, and the total number of victim firms likely in the order of hundreds [63125]. The incident highlights the serious consequences of software supply-chain attacks and the need for comprehensive remediation measures to address the persistent threat posed by the compromised software. |
| Behaviour |
crash, omission, value, other |
(a) crash: The software failure incident in the article can be categorized as a crash as the compromised version of CCleaner led to a system losing its state and being infected with a secondary malware installation. This resulted in the system not performing its intended functions and being hijacked by hackers, leading to a significant security breach [63125].
(b) omission: The incident can also be classified as an omission failure as the compromised software omitted to perform its intended functions of providing security and instead acted as a backdoor for hackers to gain unauthorized access to systems. This omission resulted in the compromise of over 700,000 computers and targeted espionage on at least 18 tech firms [63125].
(c) timing: While the incident does not directly relate to a timing failure, the compromised software did perform its intended functions but at the wrong time, allowing hackers to infiltrate systems and execute their malicious activities. The timing of the malware outbreak and the subsequent infections played a crucial role in the severity of the incident [63125].
(d) value: The software failure incident can be linked to a value failure as the compromised version of CCleaner performed its intended functions incorrectly by acting as a vehicle for hackers to gain access to networks and compromise systems. This incorrect behavior led to breaches in at least 8 of the 18 known target companies, highlighting a significant failure in the software's security mechanisms [63125].
(e) byzantine: The incident does not align directly with a byzantine failure, which involves inconsistent responses and interactions within a distributed system. However, the compromised software did exhibit erratic behavior by allowing hackers to control infected machines and potentially engage in industrial espionage, showcasing a level of unpredictability and malicious intent [63125].
(f) other: The other behavior exhibited in this software failure incident is a supply-chain attack. The compromised version of CCleaner was distributed through a trusted source, Avast, but was tampered with by hackers to infiltrate systems and carry out targeted espionage. This supply-chain attack highlights a significant vulnerability in the software supply chain, where legitimate software can be weaponized to cause widespread damage and security breaches [63125]. |