Incident: Malware Infection on Laptops Distributed to Vulnerable Children.

Published Date: 2021-01-21

Postmortem Analysis
Timeline 1. The software failure incident of laptops infected with malware connected to Russian servers happened in December 2019 [109751].
System 1. Geo Geobooks 1E laptops [109751]
Responsible Organization 1. The laptops distributed by the government were infected with malware connected to Russian servers, causing the software failure incident [Article 109751].
Impacted Organization 1. Schools in England [109751] 2. Department for Education (DfE) [109751]
Software Causes 1. Malware infection on laptops distributed to support vulnerable children during lockdown, connected to Russian servers [109751]
Non-software Causes 1. The delay in receiving kit by school leaders, causing sustained criticism from school leaders [109751]. 2. The possibility of corners being cut in the rush to provide laptops to children for remote learning [109751].
Impacts 1. The software failure incident led to an investigation by the government into reports that laptops distributed to support vulnerable children during lockdown were infected with malware connected to Russian servers [109751]. 2. The incident caused concerns among school staff and officials, leading to efforts to establish the extent of the issue, the number of affected devices, and the source of the malware [109751]. 3. The malware infection on the laptops resulted in delays in remote learning for children in England who lacked access to computers, further exacerbating the challenges faced by schools in providing necessary technology for education [109751]. 4. The incident raised questions about the security measures in place for the laptops provided to schools, highlighting the importance of ensuring devices are free from vulnerabilities and viruses before distribution to pupils [109751]. 5. The software failure incident prompted calls for a rapid investigation by political figures and cybersecurity experts, emphasizing the need for a thorough understanding of how the malware infiltrated the devices and the potential risks posed to users [109751].
Preventions 1. Proper vetting and screening of the laptops before distribution to ensure they are free from malware [109751]. 2. Implementing robust cybersecurity measures and conducting thorough security checks on all devices provided to schools [109751]. 3. Ensuring that all devices have up-to-date antivirus software installed and activated [109751]. 4. Conducting regular security audits and monitoring for any suspicious activities on the devices [109751].
Fixes 1. Conduct a thorough investigation to determine the extent of the malware infection on the laptops distributed to schools [109751]. 2. Implement robust cybersecurity measures to prevent future malware infections on devices provided to vulnerable children for remote learning [109751]. 3. Ensure all devices are thoroughly checked for vulnerabilities and viruses before distribution to pupils to prevent similar incidents in the future [109751]. 4. Enhance the procurement process for devices to include rigorous checks for malicious software before distributing them to schools and pupils [109751].
References 1. Staff at a school in Bradford who raised the alarm on an online IT forum [Article 109751] 2. Department for Education (DfE) [Article 109751] 3. Labour, specifically Kate Green, the shadow education secretary [Article 109751] 4. Chris Hauk, consumer privacy champion at Pixel Privacy [Article 109751] 5. Online post from Bradford school staff [Article 109751] 6. Ray Walsh, an expert at ProPrivacy [Article 109751] 7. Brian Higgins, a security specialist at Comparitech [Article 109751]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident of laptops being infected with malware connected to Russian servers has happened within the same organization, the Department for Education (DfE). The incident involved laptops provided to support vulnerable children during lockdown. The DfE confirmed that fewer than 10 schools had reported the problem, and all known cases of malware were detected and removed when the devices were first turned on [109751]. (b) The incident of laptops being infected with malware has also raised concerns about the risk of distributing devices containing malicious software to homes and families. Security specialists emphasized the importance of being fully aware of the risks associated with devices and taking appropriate measures to ensure they are safe before distribution. This broader concern indicates that similar incidents could potentially happen at other organizations or with their products and services [109751].
Phase (Design/Operation) design, operation (a) The software failure incident in the article can be attributed to the design phase. The laptops distributed by the government to support vulnerable children during lockdown were found to be infected with malware connected to Russian servers. This malware, identified as Gamarue.I, was detected on a small number of laptops provided to schools as part of the Get Help With Technology program. The infected laptops were discovered to have a self-propagating network worm that contacts Russian servers when active, indicating a design flaw in the system's security measures [109751]. (b) The software failure incident can also be linked to the operation phase. The malware was detected and removed when schools first turned on the devices, suggesting that the failure was due to the operation or misuse of the laptops. The incident highlights the importance of thorough checks for vulnerabilities and viruses before distributing devices to pupils, indicating operational challenges in ensuring the security of the laptops [109751].
Boundary (Internal/External) within_system, outside_system (a) within_system: The software failure incident of laptops being infected with malware connected to Russian servers was reported to have originated from within the system. The malware, identified as Gamarue.I, was found on a small number of laptops provided by the Department for Education (DfE) to schools as part of the Get Help With Technology programme. The infected laptops were discovered upon unboxing and preparing them, indicating that the malware was present on the devices before distribution [109751]. (b) outside_system: The software failure incident involving the infected laptops can also be attributed to factors originating from outside the system. The malware was reported to be a self-propagating network worm that contacts Russian servers when active. This external connection to Russian servers suggests that the malware was designed to communicate with external entities, indicating an external influence on the software failure incident [109751].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in this case was due to non-human actions, specifically the laptops being infected with malware connected to Russian servers. The malware, identified as Gamarue.I, was a self-propagating network worm that contacted Russian servers when active. This incident was reported by staff at a school in Bradford who discovered the infection upon unboxing and preparing the laptops provided by the Department for Education [109751]. (b) Human actions also played a role in this software failure incident. The government's promise to supply laptops to children in England faced sustained criticism for long delays in receiving the devices. There were concerns raised about potentially cutting corners to quickly distribute the laptops, which may have led to vulnerabilities not being adequately checked before distribution to pupils. Additionally, experts emphasized the importance of being fully aware of the risks of malicious software when sourcing devices and taking appropriate measures to ensure they are safe before distribution [109751].
Dimension (Hardware/Software) hardware, software (a) The software failure incident in the news article was related to hardware as the laptops distributed to support vulnerable children during lockdown were infected with malware connected to Russian servers [109751]. (b) The software failure incident was also related to software as the malware (Gamarue.I worm) was found on a small number of laptops provided to schools, indicating a software-related issue [109751].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident reported in Article 109751 is malicious in nature. The laptops distributed to support vulnerable children during lockdown were infected with malware connected to Russian servers. The malware was identified as a self-propagating network worm (Gamarue.I) capable of downloading files onto a PC. The incident was flagged by staff at a school in Bradford who discovered the infection upon unboxing and preparing the laptops. The malware contacting Russian servers when active indicates a malicious intent behind the infection [109751]. (b) There is no information in the articles to suggest that the software failure incident was non-malicious.
Intent (Poor/Accidental Decisions) poor_decisions, accidental_decisions (a) The software failure incident related to the distribution of laptops infected with malware connected to Russian servers can be attributed to poor decisions made in the process. The incident was a result of potentially cutting corners to quickly provide laptops to children for remote learning, leading to the distribution of infected devices. Chris Hauk from Pixel Privacy mentioned, "It may be a case of trying to quickly get laptops into the hands of children so that they could continue their schooling, and perhaps some corners were cut" [Article 109751]. (b) The software failure incident can also be linked to accidental decisions or mistakes. The incident involved the distribution of laptops that were found to be infected with a self-propagating network worm, Gamarue.I. The online post from the Bradford school staff highlighted the accidental discovery of the malware on the laptops received from the Department for Education [Article 109751].
Capability (Incompetence/Accidental) development_incompetence, accidental (a) The software failure incident related to development incompetence is evident in the article as it mentions concerns about corners being cut in the rush to provide laptops to children for remote learning. Chris Hauk from Pixel Privacy commented that "It may be a case of trying to quickly get laptops into the hands of children so that they could continue their schooling, and perhaps some corners were cut" [109751]. (b) The software failure incident related to accidental factors is highlighted in the article when it mentions that the laptops distributed to support vulnerable children were infected with malware connected to Russian servers. The malware was detected and removed when the devices were turned on, indicating an accidental introduction of the malware during the distribution process [109751].
Duration temporary The software failure incident reported in the articles can be categorized as a temporary failure. The incident involved malware being found on a small number of laptops provided to schools, which was detected and removed when the devices were first turned on [109751]. The Department for Education confirmed that the malware was neutralized during the set-up process, indicating that the failure was temporary and did not persist after the initial detection and removal process.
Behaviour crash (a) crash: The software failure incident in the news article can be categorized as a crash. The laptops distributed to support vulnerable children during lockdown were infected with malware connected to Russian servers, leading to a system failure where the devices were not able to perform their intended functions [109751]. (b) omission: There is no specific mention of the software failure incident being related to omission in the news article. (c) timing: The software failure incident is not related to timing issues where the system performed its intended functions too late or too early. (d) value: The software failure incident is not related to the system performing its intended functions incorrectly. (e) byzantine: The software failure incident does not exhibit characteristics of a byzantine failure where the system behaves erroneously with inconsistent responses and interactions. (f) other: The behavior of the software failure incident can be categorized as a crash due to the malware infection causing the laptops to fail to perform their intended functions [109751].

IoT System Layer

Layer Option Rationale
Perception sensor, network_communication, embedded_software (a) sensor: The software failure incident reported in the article is related to malware infecting laptops distributed to support vulnerable children during lockdown. The malware, identified as Gamarue.I, is a self-propagating network worm that contacts Russian servers when active. This behavior indicates a sensor error where the laptops' security sensors failed to detect and prevent the malware infection [109751]. (b) actuator: The actuator error is not explicitly mentioned in the article as a contributing factor to the software failure incident. (c) processing_unit: The processing unit error is not explicitly mentioned in the article as a contributing factor to the software failure incident. (d) network_communication: The software failure incident involves the malware contacting Russian servers, indicating a network communication error where the laptops' network communication was compromised by the malware infection [109751]. (e) embedded_software: The article mentions that the laptops provided to schools as part of the program came with anti-virus software already installed, which neutralized the virus during setup. This suggests that the embedded software (anti-virus software) played a role in detecting and removing the malware, indicating a potential embedded software error that allowed the malware to infect the laptops initially [109751].
Communication connectivity_level The software failure incident reported in the article [109751] was related to the connectivity level of the cyber physical system. The failure was due to malware infecting laptops distributed to support vulnerable children during lockdown, which were found to be connecting to Russian servers. This indicates a failure at the network layer, as the malware was communicating with external servers over the network, potentially compromising the security and integrity of the devices and data [109751].
Application FALSE The software failure incident reported in Article 109751 was related to malware infecting laptops distributed by the government to support vulnerable children during lockdown. The malware was identified as a self-propagating network worm called Gamarue.I, capable of downloading files onto a PC and contacting Russian servers when active. This incident does not seem to be related to the application layer of the cyber physical system but rather to a security breach caused by the presence of malware on the devices [109751].

Other Details

Category Option Rationale
Consequence delay The consequence of the software failure incident reported in the articles is primarily related to delays in remote learning for children. The incident caused delays in distributing laptops to pupils for remote schooling, as school IT staff had to redouble efforts to check for vulnerabilities and viruses before distributing the devices [109751]. Additionally, the government's promise to supply 1.3 million devices to children in England faced sustained criticism due to long delays in receiving the necessary equipment [109751]. The delay in providing laptops to support remote learning for vulnerable children was a significant consequence of the software failure incident.
Domain information, knowledge, government (a) The failed system was intended to support the education industry, specifically the distribution of laptops to support vulnerable children during lockdown [Article 109751]. (l) The failed system was also related to the government sector as the laptops infected with malware were distributed by the government to schools as part of the Get Help With Technology programme [Article 109751].

Sources

Back to List