Incident Details

Incident: Supply Chain Hack via JetBrains' TeamCity Software.

Published Date: 2021-01-11

Postmortem Analysis
Timeline	1. The software failure incident involving JetBrains and the Russian hacking of federal agencies, private corporations, and United States infrastructure was reported on January 11, 2021 [Article 109953].
System	1. JetBrains' TeamCity software [109953] 2. SolarWinds network management software [109953]
Responsible Organization	1. Russian hackers [109953] 2. JetBrains (potentially breached) [109953]
Impacted Organization	1. United States federal agencies, private corporations, and infrastructure [109953] 2. JetBrains, the software company under investigation [109953] 3. SolarWinds, the company based in Austin, Texas, whose network management software was compromised [109953] 4. The Justice Department's email system [109953] 5. Microsoft, whose network was breached by the same intruders [109953] 6. CrowdStrike, a security firm that was targeted [109953]
Software Causes	1. The software cause of the failure incident was the potential compromise of JetBrains' TeamCity software, which allowed Russian hackers to plant back doors in the software of an untold number of technology companies [109953].
Non-software Causes	1. Lack of oversight in supply chain security practices [109953] 2. Potential compromise of a third-party software company (JetBrains) [109953] 3. Inadequate cybersecurity measures in place [109953]
Impacts	1. The software failure incident involving JetBrains' TeamCity potentially allowed Russian hackers to plant back doors in an untold number of JetBrains' clients, including major companies like SolarWinds, Google, Hewlett-Packard, Citibank, Siemens, and VMware [109953]. 2. The incident led to the compromise of the Justice Department's email system as part of the SolarWinds hacking, affecting about 3% of the department's email accounts that use specific Microsoft software [109953]. 3. The breach and compromise of software products like TeamCity and Microsoft Outlook resulted in a major security vulnerability, with the potential for thousands of back doors to be introduced into various products used by victims worldwide [109953].
Preventions	1. Ensuring robust security measures and regular security audits for software development tools like JetBrains' TeamCity to detect and patch vulnerabilities before they can be exploited by hackers [109953]. 2. Implementing strict access controls and monitoring mechanisms to prevent unauthorized access to sensitive software development tools and code repositories [109953]. 3. Conducting thorough vetting and due diligence on third-party software providers like JetBrains to ensure their products meet stringent security standards and do not pose a risk to the organization's cybersecurity [109953].
Fixes	1. Conduct a thorough security audit of JetBrains' TeamCity software to identify and patch any vulnerabilities that could have been exploited by hackers [109953]. 2. Enhance cybersecurity measures for all software development tools and platforms used by organizations to prevent future supply chain attacks [109953]. 3. Implement multi-factor authentication and regular password updates for all users of software development tools to reduce the risk of unauthorized access [109953]. 4. Increase collaboration and information sharing between government agencies, security firms, and software companies to quickly identify and respond to potential security breaches [109953].
References	1. Officials and executives briefed on the inquiry [Article 109953] 2. Security experts [Article 109953] 3. JetBrains company statement by Maxim Shafirov, the company’s chief executive [Article 109953] 4. SolarWinds company statement [Article 109953] 5. Amazon internal assessment [Article 109953] 6. Microsoft announcement [Article 109953] 7. CrowdStrike, a security firm [Article 109953] 8. Justice Department spokesman Marc Raimondi [Article 109953] 9. Dmitri Alperovitch, founder of CrowdStrike [Article 109953]

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	one_organization, multiple_organization	(a) The software failure incident related to JetBrains and the potential compromise of their software, particularly TeamCity, has raised concerns about the security of their products and services. JetBrains, a widely used software company, is under investigation for potentially being breached and used as a pathway for hackers to insert back doors into the software of an untold number of technology companies, including SolarWinds [109953]. (b) The incident involving the compromise of software, such as SolarWinds and potentially JetBrains' TeamCity, has impacted multiple organizations. SolarWinds confirmed that 18,000 customers downloaded its compromised software, and investigators believe Russia was selective in gaining access to networks, making it challenging to assess the full extent of the damage. Additionally, Microsoft announced that its network was breached by the same intruders, and CrowdStrike, a security firm, was also targeted [109953]. This indicates that the software failure incident has affected multiple organizations beyond just SolarWinds and JetBrains.
Phase (Design/Operation)	design, operation	(a) The software failure incident related to the design phase can be seen in the case of JetBrains' TeamCity software. The investigation is focusing on whether the software was breached and used as a pathway for hackers to insert back doors into the software of various technology companies, including JetBrains' clients. This indicates a potential failure in the design or security of the TeamCity software, allowing for vulnerabilities to be exploited [109953]. (b) The software failure incident related to the operation phase is evident in the compromise of the Justice Department's email system as part of the SolarWinds hacking. The breach occurred due to the operation of the compromised software, leading to the compromise of email accounts using specific Microsoft software. This highlights a failure in the operation or use of the software, allowing for unauthorized access and compromise of systems [109953].
Boundary (Internal/External)	within_system, outside_system	(a) within_system: The software failure incident related to the JetBrains software being potentially compromised and used as a pathway for hackers to insert back doors into the software of an untold number of technology companies, including SolarWinds [109953]. This indicates that the failure originated from within the system itself, potentially due to vulnerabilities or gaps in the JetBrains software. (b) outside_system: The failure incident also involved external factors, such as the Russian hackers exploiting the compromised software to infiltrate government and private systems, indicating that the failure was influenced by factors outside the system [109953].
Nature (Human/Non-human)	non-human_actions, human_actions	(a) The software failure incident related to non-human actions is the potential compromise of JetBrains' TeamCity software, which could have allowed Russian hackers to plant back doors in the software of an untold number of JetBrains' clients [109953]. (b) The software failure incident related to human actions involves the possibility of attackers exploiting gaps in how customers use the TeamCity tool, potentially through stolen passwords or gaps in unpatched, outdated software [109953].
Dimension (Hardware/Software)	hardware, software	(a) The software failure incident related to hardware: - The incident involves a potential breach through a widely used software company, JetBrains, which could have been used as a pathway for hackers to insert back doors into the software of various technology companies [109953]. - The compromised software, TeamCity by JetBrains, is used by developers to test and exchange software code before release, indicating a potential vulnerability in the software development process [109953]. (b) The software failure incident related to software: - The incident involves the compromise of software systems, particularly the JetBrains product TeamCity, which could have allowed hackers to plant back doors in various clients' systems [109953]. - The compromised software, TeamCity, is being examined to determine if it contains vulnerabilities or if attackers exploited gaps in how customers use the tool, highlighting potential software weaknesses [109953].
Objective (Malicious/Non-malicious)	malicious	(a) The software failure incident in this case is malicious. The failure was due to the deliberate actions of Russian hackers who potentially compromised JetBrains' TeamCity software to plant back doors in the software of an untold number of technology companies, including SolarWinds [109953]. (b) There is no information in the articles suggesting that the software failure incident was non-malicious.
Intent (Poor/Accidental Decisions)	poor_decisions, unknown	(a) The intent of the software failure incident related to poor decisions can be inferred from the article. The incident involving the software company JetBrains and the potential breach in their TeamCity product was a result of poor decisions made by the hackers who exploited vulnerabilities in the software. The hackers potentially inserted back doors into the software of an untold number of technology companies by compromising TeamCity or exploiting gaps in how customers use the tool [109953]. (b) The intent of the software failure incident related to accidental decisions is not explicitly mentioned in the articles.
Capability (Incompetence/Accidental)	development_incompetence, accidental	(a) The software failure incident related to development incompetence is evident in the case of the JetBrains software company being investigated for potentially being breached and used as a pathway for hackers to insert back doors into the software of various technology companies, including SolarWinds [109953]. (b) The accidental aspect of the software failure incident is highlighted by the potential compromise of the JetBrains software and the subsequent infiltration of government and private systems by Russian hackers. The accidental nature is seen in how the hackers exploited gaps in how customers use the TeamCity tool, potentially planting back doors in various clients' systems [109953].
Duration	permanent	(a) The software failure incident in the articles seems to be more of a permanent nature. The breach and compromise of the software, particularly JetBrains' TeamCity, allowed for the insertion of back doors into the software of an untold number of technology companies [109953]. This breach is described as potentially allowing for thousands of back doors in various products, indicating a significant and long-lasting impact on the affected systems [109953].
Behaviour	omission, value, byzantine, other	(a) crash: The software failure incident related to the JetBrains software involves the potential compromise of the TeamCity product, which could have allowed hackers to insert back doors into the software of an untold number of technology companies [109953]. (b) omission: The failure in this incident could be related to the omission of performing the intended functions of the software correctly, as the compromised software may have omitted to provide the necessary security measures to prevent unauthorized access and backdoor insertion [109953]. (c) timing: The timing aspect of the failure could be seen in the delayed detection and response to the software compromise, as it took time for the authorities to investigate and understand the extent of the breach, potentially allowing the hackers to maintain access for an extended period [109953]. (d) value: The failure could also be related to the software performing its intended functions incorrectly, as the compromised software may have allowed for the insertion of back doors by hackers, leading to unauthorized access and potential data breaches [109953]. (e) byzantine: The behavior of the software failure incident could be considered byzantine due to the complex and deceptive nature of the attack, where hackers potentially exploited gaps in how customers used the TeamCity tool to inconspicuously plant back doors in various clients' systems [109953]. (f) other: The software failure incident could also be categorized as a supply chain hack, where compromising and introducing a back door into a product like TeamCity is described as "the holy grail of a supply chain hack," allowing adversaries to have thousands of back doors in various products used by victims worldwide [109953].

IoT System Layer

Layer	Option	Rationale
Perception	None	None
Communication	None	None
Application	None	None

Other Details

Category	Option	Rationale
Consequence	property, delay, non-human, theoretical_consequence	(a) unknown (b) unknown (c) unknown (d) Property: The software failure incident resulted in the compromise and potential backdooring of software used by various companies, including SolarWinds, potentially leading to unauthorized access to sensitive data and networks [109953]. (e) Delay: The software failure incident may have caused delays in various activities as companies had to investigate and address potential vulnerabilities in their systems [109953]. (f) Non-human: The software failure incident impacted software systems and networks, potentially allowing hackers to gain unauthorized access to critical infrastructure and government systems [109953]. (g) unknown (h) Theoretical_consequence: There were discussions about the potential consequences of the software failure incident, such as the possibility of thousands of backdoors being introduced into various products worldwide, leading to significant security risks [109953]. (i) unknown
Domain	information, finance, government	(a) The failed system was intended to support the information industry, as it involved software used by developers to test and exchange software code before release, impacting a wide range of technology companies [109953]. (h) The failed system also had implications for the finance industry, as it potentially allowed hackers to infiltrate government and private systems, including financial institutions like Citibank [109953]. (l) The government sector was directly affected by the software failure incident, with the Justice Department confirming that its email system had been compromised as part of the larger hacking incident involving the software company JetBrains and SolarWinds [109953].

Sources

Widely Used Software Company May Be Entry Point for Huge U.S. Hacking (Published 2021) - The New York Times - Published on: 2021-01-11
Article ID: 109953

Back to List