Incident Details

Incident: Cyber-Attack Wave Hits Ukraine with Sophisticated "Wiper" Malware

Published Date: 2022-02-24

Postmortem Analysis
Timeline	1. The software failure incident, involving a "wiper" attack on Ukrainian organizations, occurred on December 28, 2021, as per the timestamp of creation for the malware discovered [124620].
System	The software failure incident mentioned in the article is related to cyber-attacks targeting Ukraine. The systems that failed in this incident are: 1. Websites of several Ukrainian banks and government departments 2. Computer systems infected with the "HermeticWiper" malware [124620]
Responsible Organization	1. Russia [124620]
Impacted Organization	1. Ukrainian websites, including banks and government departments, were impacted by the software failure incident [Article 124620].
Software Causes	1. The failure incident was caused by a Distributed Denial of Service (DDoS) attack, which flooded websites with huge amounts of requests until they crashed [124620]. 2. A sophisticated "wiper" malware named HermeticWiper was used in the attack to destroy data on infected machines [124620].
Non-software Causes	1. The cyber-attack on Ukrainian websites was part of a larger geopolitical conflict between Ukraine and Russia [124620]. 2. The attack was part of Russia's hybrid warfare tactics, combining cyber-attacks with traditional military activity [124620].
Impacts	1. The websites of several Ukrainian banks and government departments became inaccessible [124620]. 2. A new "wiper" attack was discovered being used against Ukrainian organizations, which destroys data on infected machines [124620]. 3. Distributed denial of service (DDoS) attacks were launched, causing outages and knocking websites offline [124620]. 4. Some websites were replaced with a warning to Ukrainians to "prepare for the worst" [124620]. 5. The incident represents the third wave of attacks against Ukraine this year and is considered the most sophisticated to date [124620].
Preventions	1. Implementing robust cybersecurity measures such as firewalls, intrusion detection systems, and regular security audits could have helped prevent the cyber-attacks on Ukrainian websites [124620]. 2. Enhancing network infrastructure to withstand Distributed Denial of Service (DDoS) attacks by investing in scalable and resilient systems could have mitigated the impact of the attacks [124620]. 3. Conducting regular security training for employees to raise awareness about phishing attempts and social engineering tactics that could lead to malware infections could have reduced the likelihood of successful attacks [124620]. 4. Collaborating with international cybersecurity agencies and sharing threat intelligence to stay informed about emerging threats and potential attack vectors could have provided early warnings and preventive measures against such incidents [124620].
Fixes	1. Enhancing cybersecurity measures such as implementing robust firewalls, intrusion detection systems, and security protocols to prevent future cyber-attacks [124620]. 2. Regularly updating and patching software systems to address vulnerabilities that could be exploited by attackers [124620]. 3. Conducting thorough security audits and assessments to identify and mitigate potential weaknesses in the system [124620]. 4. Implementing incident response plans to quickly detect, contain, and recover from cyber-attacks like DDoS attacks and wiper malware [124620]. 5. Collaborating with international cybersecurity experts and organizations to share threat intelligence and best practices in defending against sophisticated cyber threats [124620].
References	1. Ukraine government officials, including Ukraine's Digital Transformation Minister, Mykhailo Fedorov, who commented on the DDoS attacks on the state [124620]. 2. Cyber-security experts at ESET and Symantec who discovered the new "wiper" malware used in Ukraine, named HermeticWiper [124620]. 3. NetBlocks, an internet connectivity company, which tweeted about the outages and mentioned the incident being consistent with recent DDoS attacks [124620]. 4. Researchers who provided insights to BBC News regarding the recovery of Ukraine's military and banking websites after the attacks [124620].

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	one_organization, multiple_organization	(a) The software failure incident having happened again at one_organization: - The article reports that Ukraine has been hit by more cyber-attacks, with the latest incident being the third wave of attacks against Ukraine this year and the most sophisticated to date [124620]. - In January, the Ukrainian government accused Russia of being behind another DDoS wave and smaller, less sophisticated wave of "wiper" attacks [124620]. (b) The software failure incident having happened again at multiple_organization: - The article mentions that DDoS attacks have been used in various campaigns as part of Russia's "hybrid warfare" tactics, combining cyber-attacks with traditional military activity. DDoS attacks have hit Georgia, Crimea, and Ukraine in the past, with the EU, UK, and Ukraine blaming Russian government hackers for attacks on electricity substations and the NotPetya "wiper" attack that caused widespread damage globally [124620].
Phase (Design/Operation)	design, operation	(a) The software failure incident related to the design phase can be seen in the discovery of a new "wiper" attack, named HermeticWiper, used against Ukrainian organizations. Cyber-security experts at ESET and Symantec recorded this sophisticated "wiper" malware, indicating a planned attack since December 2021 [124620]. (b) The software failure incident related to the operation phase is evident in the Distributed Denial of Service (DDoS) attacks that targeted Ukrainian websites, including those of banks and government departments. These attacks flooded the websites with huge amounts of requests, causing them to become inaccessible and crash [124620].
Boundary (Internal/External)	within_system	(a) within_system: The software failure incident reported in the articles is primarily within the system. The incident involved cyber-attacks, specifically DDoS attacks and the deployment of a sophisticated "wiper" malware named HermeticWiper, targeting Ukrainian organizations [124620]. These attacks were aimed at disrupting the functioning of Ukrainian websites, banks, and government departments by flooding them with requests until they crashed or destroying data on infected machines. The attacks were described as the third wave of attacks against Ukraine in the year and were considered the most sophisticated to date [124620]. (b) outside_system: The articles do not provide information indicating that the software failure incident was primarily due to contributing factors originating from outside the system. The focus of the incident was on the cyber-attacks targeting Ukraine, with no official blame directed at Russia for the latest attacks [124620]. The incident was part of a series of attacks against Ukraine, with previous attacks also being attributed to Russian hackers. However, the specific details in the articles do not highlight external factors as the primary cause of the software failure incident.
Nature (Human/Non-human)	non-human_actions	(a) The software failure incident occurring due to non-human actions: The software failure incident in the news article was primarily attributed to a cyber-attack involving a "wiper" malware that destroys data on infected machines. This attack was described as the third wave of attacks against Ukraine and was considered the most sophisticated to date. The malware, named HermeticWiper, was discovered by cyber-security experts at ESET and Symantec, indicating that the failure was caused by non-human actions introduced by malicious software [Article 124620]. (b) The software failure incident occurring due to human actions: While the article does not explicitly mention any software failure incident being directly caused by human actions, it does discuss the involvement of human actors in terms of cyber-attacks. The attacks on Ukrainian websites were attributed to Russian hackers, with previous attacks also being linked to Russia. However, no official blame was directed at Russia for the latest attacks mentioned in the article [Article 124620].
Dimension (Hardware/Software)	hardware, software	(a) The software failure incident occurring due to hardware: - The article mentions a new "wiper" attack, which destroys data on infected machines, being used against Ukrainian organizations [124620]. - Cyber-security experts at ESET and Symantec discovered a new data wiper malware called HermeticWiper that was installed on hundreds of machines in Ukraine [124620]. (b) The software failure incident occurring due to software: - The incident involved DDoS attacks on Ukrainian websites, which are designed to knock a website offline by flooding it with huge amounts of requests until it crashes [124620]. - The article discusses the use of a sophisticated "wiper" malware named HermeticWiper in the attack, indicating a software-related issue [124620].
Objective (Malicious/Non-malicious)	malicious, non-malicious	(a) The objective of the software failure incident was malicious, as the cyber-attacks on Ukrainian websites, including banks and government departments, involved the use of a "wiper" attack that destroys data on infected machines. The attack was described as being on a "completely different level" and represented the third wave of attacks against Ukraine this year, with the most sophisticated tactics to date [124620]. Additionally, the attack involved the deployment of a new data wiper malware named HermeticWiper, which was installed on hundreds of machines in Ukraine, indicating a planned and targeted malicious intent [124620]. (b) The software failure incident was non-malicious in the sense that Distributed Denial of Service (DDoS) attacks were also part of the cyber-attacks on Ukrainian websites. DDoS attacks are designed to knock a website offline by flooding it with huge amounts of requests until it crashes. While these attacks can disrupt services, they are typically not aimed at directly harming the system or destroying data, unlike the wiper attack mentioned in the incident [124620].
Intent (Poor/Accidental Decisions)	poor_decisions	(a) The intent of the software failure incident related to poor_decisions: - The article mentions that the cyber-attacks on Ukrainian organizations, including the use of a sophisticated "wiper" malware named HermeticWiper, were planned since at least 28 December 2021, indicating a deliberate and premeditated nature of the attacks [124620]. - The attacks are part of a series of waves of attacks against Ukraine, with the latest incident being described as the most sophisticated to date, suggesting a strategic and planned approach rather than accidental decisions [124620]. (b) The intent of the software failure incident related to accidental_decisions: - There is no specific mention or indication in the article that the software failure incident was due to accidental decisions or unintended mistakes. The focus is more on the deliberate and sophisticated nature of the cyber-attacks against Ukrainian organizations [124620].
Capability (Incompetence/Accidental)	accidental	(a) The software failure incident related to development incompetence is not explicitly mentioned in the provided article. Therefore, it is unknown if the failure was due to contributing factors introduced due to lack of professional competence by humans or the development organization. (b) The software failure incident related to accidental factors is evident in the article. The article discusses a cyber-attack on Ukrainian websites, including banks and government departments, involving a new "wiper" attack that destroys data on infected machines. This incident is described as the third wave of attacks against Ukraine this year and the most sophisticated to date. The attack involved Distributed Denial of Service (DDoS) attacks, which are designed to knock a website offline by flooding it with huge amounts of requests until it crashes [124620].
Duration	temporary	(a) The software failure incident described in the articles is temporary. The incident involved a series of cyber-attacks, including Distributed Denial of Service (DDoS) attacks and the deployment of a sophisticated "wiper" malware, targeting Ukrainian websites, banks, and government departments [124620]. The attacks caused outages and made websites inaccessible, but most of the affected websites were restored within a few hours [124620]. The incident represents the third wave of attacks against Ukraine this year and is considered the most sophisticated to date [124620]. The attacks were attributed to Russia, but no official blame was directed at Russia for the latest attacks [124620].
Behaviour	crash, omission, value, byzantine, other	(a) crash: The incident involved Distributed Denial of Service (DDoS) attacks on Ukrainian websites, causing them to become inaccessible and potentially crash due to the overwhelming amount of requests flooding the sites [124620]. (b) omission: The DDoS attacks resulted in the omission of the intended functions of the websites, as they were unable to serve their content to users and became inaccessible [124620]. (c) timing: The DDoS attacks occurred on Wednesday afternoon, causing outages and intensifying in severity over the course of the day, indicating a timing issue where the attacks happened at a specific time [124620]. (d) value: The incident involved a sophisticated "wiper" malware named HermeticWiper, which was used to destroy data on infected machines, indicating a failure in the system performing its intended functions incorrectly by wiping data [124620]. (e) byzantine: The DDoS attacks and the use of the wiper malware by cyber attackers represent a form of byzantine behavior, where the attackers are behaving erroneously with inconsistent responses and interactions, making it challenging to defend against such attacks [124620]. (f) other: The incident also involved a combination of cyber-attacks with traditional military activity, showcasing a hybrid warfare tactic that goes beyond typical software failure behaviors [124620].

IoT System Layer

Layer	Option	Rationale
Perception	sensor, actuator, processing_unit, network_communication, embedded_software	(a) sensor: The incident involved a cyber-attack on Ukrainian organizations, including banks and government departments, where a new "wiper" attack was discovered being used against them. This attack destroyed data on infected machines, indicating a failure related to the sensor layer of the cyber physical system [124620]. (b) actuator: The cyber-attack involved the use of a sophisticated "wiper" malware named HermeticWiper, which was used to attack computer systems in Ukraine. This indicates a failure related to the actuator layer of the cyber physical system [124620]. (c) processing_unit: The incident involved Distributed Denial of Service (DDoS) attacks on Ukrainian websites, which are designed to knock a website offline by flooding it with huge amounts of requests until it crashes. This indicates a failure related to the processing unit layer of the cyber physical system [124620]. (d) network_communication: The cyber-attack on Ukrainian organizations involved DDoS attacks that targeted the websites, causing outages and making them inaccessible. This indicates a failure related to the network communication layer of the cyber physical system [124620]. (e) embedded_software: The cyber-attack involved the use of a new data wiper malware named HermeticWiper, which was installed on hundreds of machines in Ukraine. This indicates a failure related to the embedded software layer of the cyber physical system [124620].
Communication	connectivity_level	The software failure incident reported in the articles is related to the connectivity level of the cyber physical system that failed. The incident involved Distributed Denial of Service (DDoS) attacks targeting Ukrainian websites, including banks and government departments, which led to outages and inaccessibility of these online services [124620]. The DDoS attacks flooded the websites with huge amounts of requests, causing them to crash and become inaccessible, indicating a failure at the network or transport layer of the cyber physical system. Additionally, a new "wiper" malware named HermeticWiper was discovered being used in the attack, further emphasizing the software failure at the connectivity level [124620].
Application	TRUE	The software failure incident described in the news article [124620] was related to the application layer of the cyber physical system. This is evident from the discovery of a new "wiper" attack, named HermeticWiper, which was used against Ukrainian organizations. The wiper attack is a form of malware that destroys data on infected machines, indicating a failure at the application layer due to malicious software introduced into the system [124620].

Other Details

Category	Option	Rationale
Consequence	property, delay, non-human, theoretical_consequence, other	(a) death: People lost their lives due to the software failure - No information in the provided article suggests that people lost their lives due to the software failure incident. [Article 124620] (b) harm: People were physically harmed due to the software failure - No information in the provided article suggests that people were physically harmed due to the software failure incident. [Article 124620] (c) basic: People's access to food or shelter was impacted because of the software failure - No information in the provided article suggests that people's access to food or shelter was impacted due to the software failure incident. [Article 124620] (d) property: People's material goods, money, or data was impacted due to the software failure - The software failure incident involved a "wiper" attack that destroyed data on infected machines, impacting the data and potentially causing financial losses. [Article 124620] (e) delay: People had to postpone an activity due to the software failure - The incident caused the websites of several Ukrainian banks and government departments to become inaccessible, potentially leading to delays in accessing services or information. [Article 124620] (f) non-human: Non-human entities were impacted due to the software failure - The software failure incident impacted computer systems in Ukraine, with the discovery of a new "wiper" malware affecting hundreds of machines in the country. [Article 124620] (g) no_consequence: There were no real observed consequences of the software failure - The software failure incident resulted in real consequences, such as data destruction and website outages, as detailed in the article. [Article 124620] (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The article mentions that the incident represents the third wave of attacks against Ukraine this year and is the most sophisticated to date, indicating potential escalating consequences. However, specific theoretical consequences are not discussed. [Article 124620] (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - The software failure incident could have led to potential disruptions in critical services, financial losses, and compromised data security beyond what is explicitly mentioned in the article.
Domain	information, government	(a) The failed system was intended to support the information industry. The incident involved cyber-attacks targeting Ukrainian websites, including banks and government departments, which resulted in outages and data destruction [Article 124620]. The attacks disrupted the production and distribution of information through online platforms and services.

Sources

Ukraine crisis: 'Wiper' discovered in latest cyber-attacks - BBC.com - Published on: 2022-02-24
Article ID: 124620

Back to List