Published Date: 2014-11-12
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident mentioned in Article 2429 happened in July 2010. 2. The software failure incident mentioned in Article 31887 happened in November 2014. 3. The software failure incident mentioned in Article 59943 happened in May 2017. 4. The software failure incident mentioned in Article 61130 happened in June 2017. 5. The software failure incident mentioned in Article 61132 happened in June 2017. 6. The software failure incident mentioned in Article 61815 happened in June 2017. 7. The software failure incident mentioned in Article 62248 happened in an unspecified time. 8. The software failure incident mentioned in Article 63904 happened in May 2017. 9. The software failure incident mentioned in Article 63969 happened in May 2017. 10. The software failure incident mentioned in Article 83485 happened in June 2017. 11. The software failure incident mentioned in Article 84780 happened in May 2017. 12. The software failure incident mentioned in Article 117013 happened in an unspecified time. |
| System | 1. Microsoft Windows [2429, 31887, 59943] 2. SCADA software by Siemens Corporation [2429] 3. Windows 2000 and Windows XP Service Pack 2 [2429] 4. Legacy systems like Windows XP [60329] 5. Windows 7 systems [63969] |
| Responsible Organization | 1. The Shadow Brokers group exploited a flaw in Microsoft's Windows software, leading to the software failure incident [Article 59943]. 2. The developer Intellect Service acknowledged that an upgrade to its MeDoc tax software was contaminated, allowing the attack to be carried out, contributing to the software failure incident [Article 61132]. 3. Users who did not patch their systems were also responsible for the attack, as mentioned by security experts [Article 59943]. 4. The NSA's tool, EternalBlue, which was leaked and used by foreign intelligence agencies and rogue actors, contributed to the software failure incident [Article 84780]. |
| Impacted Organization | 1. British advertising agency WPP [Article 60166] 2. Pennsylvania hospital operator, Heritage Valley Health System [Article 60166] 3. US food giant Mondelez [Article 60166] 4. Netherlands-based shipping company TNT [Article 60166] 5. French construction materials company St Gobain [Article 60166] 6. Maersk [Article 61130] 7. Reckitt Benckiser [Article 61132] 8. FedEx [Article 61317] 9. MeDoc [Article 61130] 10. Merck [Article 83485] |
| Software Causes | 1. A serious security flaw in Microsoft Windows that allowed attackers to remotely take over and control a computer [Article 31887]. 2. A flaw in Microsoft's Windows software that was used by the NSA to build a hacking tool, which was then leaked and exploited by a mysterious group called the Shadow Brokers [Article 59943]. 3. A flaw in the MeDoc tax software that allowed the spread of malware, leading to a cyber-attack affecting global firms [Article 61130, Article 61132]. 4. Windows code loopholes exploited by malware to spread, similar to the ones used by WannaCry [Article 60166]. 5. Gaps in the security of Windows XP that were exploited by cyberattackers to send malicious software and lock users out of their computer systems [Article 64144]. |
| Non-software Causes | 1. Lack of action on critical alerts and warnings from NHS Digital and the Department of Health by NHS trusts [63969] 2. Ill-preparedness and vulnerability due to outmoded software in the NHS [64144] |
| Impacts | 1. Critical infrastructure, including power grids and manufacturing plants, was at risk due to a flaw in Microsoft Windows that was exploited by hackers, leading to potential widespread damage [2429]. 2. The cyber-attack affected various organizations, including a Pennsylvania hospital operator, a US food giant, a Netherlands-based shipping company, a French construction materials company, and caused delays in operations [60166]. 3. The attack led to financial impacts on companies like FedEx, which lost revenue and incurred additional costs due to decreased volumes and remediation of affected systems [61815]. 4. The attack caused significant financial losses for international companies like Maersk and Reckitt Benckiser, with Maersk estimating damage up to $300 million and Reckitt Benckiser likely facing a cost of £110 million [61317, 62978]. 5. Mondelez experienced financial losses exceeding $100 million due to the attack, with disruptions in logistics software, lost orders, and network paralysis affecting various sectors [83485]. 6. The attack resulted in the cancellation of thousands of appointments, including operations, in the NHS, with an estimated total of about 19,000 appointments affected [63969]. 7. The attack disrupted operations at various organizations, including the shipping firm Maersk, the marketing giant WPP, and the advertising agency WPP, causing delays and financial impacts [61130, 61132]. 8. The attack led to the encryption of data on machines and demanded ransom payments, affecting thousands of computers globally and causing financial losses for multiple companies [61815, 64144]. 9. The attack highlighted the importance of routine software updates for both businesses and consumers to prevent exposure to vulnerabilities and potential risks [117013]. |
| Preventions | 1. Patching the exact bug in Windows computers that enabled the WannaCry ransomware to spread could have prevented the incident [63904, 63969]. 2. Acting on critical alerts from NHS Digital and warnings from the Department of Health and the Cabinet Office to patch or migrate away from vulnerable older software could have prevented the incident [63969]. 3. Updating software to ensure impacted systems are not left exposed could have prevented the incident [117013]. |
| Fixes | 1. Applying security patches promptly to protect Windows systems from vulnerabilities like PrintNightmare [117013]. 2. Implementing responsible disclosure practices by intelligence services to inform software companies of flaws, as seen in the case of the NSA informing Microsoft of a flaw before it was leaked online [59943]. 3. Enhancing awareness campaigns to alert industry partners about the importance of installing critical patches, as done by the Department of Homeland Security after the Microsoft patch release in March [59943]. 4. Building security improvements into complex systems to mitigate insider threats, as highlighted in the case of the NSA's "Secure the Net" initiative [60061]. 5. Increasing vigilance and ensuring robust plans to migrate away from old software, as advised by the Department of Health and the Cabinet to NHS trusts in 2014 and 2017 [63904]. 6. Taking proactive measures to address vulnerabilities, such as disabling impacted functions until official fixes are rolled out [117013]. | References | 1. Internet Storm Center (ISC) [2429] 2. Sophos [2429] 3. Microsoft Corp President Brad Smith [59943] 4. Department of Homeland Security [59943] 5. Defense Department’s inspector general [60061] 6. Intellect Service [61130] 7. National Cyberpolice unit [61130] 8. NHS Digital [63904, 63969] 9. Symantec’s director of security response Vikram Thakur [84780] 10. Microsoft spokesperson [117013] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) The software failure incident having happened again at one_organization: - The software failure incident involving a ransomware attack affected the company Mondelez International, known for brands like Oreo and Toblerone, causing significant financial losses [60166]. - Mondelez International was also impacted by the Petya cyber virus attack, which encrypted data on machines and demanded ransom for recovery [61815]. - Mondelez International faced financial losses due to the malware attack, with recovery efforts taking weeks and costs exceeding $100 million [83485]. (b) The software failure incident having happened again at multiple_organization: - The ransomware attack affected various companies globally, including British advertising agency WPP, US food giant Mondelez, Netherlands-based shipping company TNT, French construction materials company St Gobain, and others [60166]. - The Petya cyber virus attack impacted businesses worldwide, including the shipping firm Maersk and the marketing giant WPP [61130]. - The malware attack spread to companies like Reckitt Benckiser, Maersk, WPP, and others, causing operational disruptions and financial impacts [61132]. - The cyberattack affected international companies like Maersk, WPP, Saint-Gobain, and Russian steel and oil firms, resulting in significant financial losses [61317]. - The malware attack also impacted TNT, leading to ongoing IT operation restoration efforts and financial losses [62978]. - The software failure incident involving the ransomware attack affected various organizations, including the NHS in the UK, leading to appointment cancellations and operational disruptions [63969]. - The NHS in the UK was vulnerable to the ransomware attack due to outdated software, highlighting the importance of applying security patches [64144]. - The ransomware attack affected various organizations, including the NHS in the UK, with reports of appointment cancellations and operational impacts [63969]. |
| Phase (Design/Operation) | design, operation | (a) The software failure incident occurring due to the development phases: - Article 2429 reports a critical flaw in Microsoft Windows that researchers warn has already been exploited by hackers. The vulnerability affects all versions of Microsoft Windows from Windows 7 back to Windows 2000 and can affect someone who simply opens a folder containing an infected file with a .LNK extension. Microsoft has not yet developed a software fix for the weakness, leaving many environments exposed until a patch is released. - Article 31887 discusses a serious security flaw in Microsoft Windows that remained in Windows systems until the firm finally patched it. The bug, present in every version of Microsoft Windows from Windows 95 onward, allows an attacker to remotely take over and control a computer, typically using remote code execution to install malware with malicious actions like keylogging and remote access. (b) The software failure incident occurring due to the operation phases: - Article 61130 mentions a cyber-attack that hit businesses worldwide, including the shipping firm Maersk and the marketing giant WPP. The attack was spread via a malicious update to MeDoc, Ukraine's most popular accounting software, affecting various organizations. - Article 62248 discusses malware, including NotPetya, designed to spread from computer to computer on a network, potentially affecting connected devices on board ships. The article highlights incidents where ships' navigation systems were hit by malware introduced through USB sticks brought on board by crew members, leading to delays and investigations. [Cited Articles: 2429, 31887, 61130, 62248] |
| Boundary (Internal/External) | within_system, outside_system | (a) within_system: The software failure incident was primarily caused by a vulnerability within the Microsoft Windows operating system. The incident involved a critical flaw present in every version of Windows from Windows 95 onward, allowing attackers to remotely take over and control computers [Article 31887]. Additionally, the incident was exacerbated by the fact that the NSA had used the same flaw to build a hacking tool, which was later leaked online, leading to widespread exploitation [Article 59943]. (b) outside_system: The software failure incident was also influenced by factors originating from outside the system. For example, the attack was made possible by the NSA's stockpiling of software flaws, which were later leaked and used in the global ransomware attack [Article 59943]. Furthermore, the incident highlighted the importance of basic IT practices and the need for organizations to patch vulnerabilities promptly to prevent such attacks [Article 63904, Article 63969]. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident occurring due to non-human actions: - The software failure incident involving the global cyber attack that infected computers in at least 150 countries was made possible by a flaw in Microsoft's Windows software that the NSA used to build a hacking tool, which ended up in the hands of a mysterious group called the Shadow Brokers [Article 59943]. - The malware attack, including NotPetya, spread from computer to computer on a network, affecting high-profile companies like Nurofen-maker Reckitt Benckiser, Oreo cookie manufacturer Mondelez International, the shipping group Maersk, and the advertising agency WPP [Article 61132]. - The attack that crippled computers in Ukraine last year, attributed to Russian military hackers, was delivered through a mock ransomware virus dubbed NotPetya, wiping data from the computers of banks, energy firms, senior government officials, and an airport [Article 67739]. (b) The software failure incident occurring due to human actions: - The flaw in Microsoft Windows that allowed an attacker to remotely take over and control a computer was discovered by IBM's cybersecurity research team, describing it as a 'significant vulnerability' in the operating system [Article 31887]. - Microsoft Corp President criticized the U.S. government for "stockpiling" software flaws that it often cannot protect, leading to leaks of NSA and CIA hacking tools, causing widespread damage [Article 59943]. - The failure to upgrade old computer systems at a local level within the NHS contributed to the rapid spread of malware, highlighting the importance of applying security patches to protect systems [Article 63969]. |
| Dimension (Hardware/Software) | hardware, software | (a) The software failure incident occurring due to hardware: - The incident involving the global cyber attack that infected computers in at least 150 countries was made possible by a flaw in Microsoft's Windows software that the NSA used to build a hacking tool, which ended up in the hands of a mysterious group called the Shadow Brokers [Article 59943]. - The malware attack known as NotPetya spread chaos worldwide and affected various organizations, including Nurofen-maker Reckitt Benckiser, Oreo cookie manufacturer Mondelez International, the shipping group Maersk, and the advertising agency WPP [Article 61132]. - The malware attack also impacted the maritime industry, with incidents where malware spread through connected devices on ships, leading to disruptions in navigation systems [Article 62248]. - The attack involving the ransomware virus NotPetya, attributed to Russian military hackers, targeted computers in Ukraine, including banks, energy firms, senior government officials, and an airport [Article 67739]. - The incident involving Mondelez experiencing a significant financial hit due to the malware attack, with logistics software crashing and causing delays in operations [Article 83485]. (b) The software failure incident occurring due to software: - A critical flaw in Microsoft Windows, present in every version from Windows 95 onward, allowed attackers to remotely take over and control computers, leading to the installation of malware with malicious actions like keylogging and remote access [Article 31887]. - The malware attack that infected computers in at least 150 countries was due to a flaw in Microsoft's Windows software that the NSA used to build a hacking tool, which was later leaked online [Article 59943]. - The incident involving the malware attack known as NotPetya, which spread chaos worldwide, was facilitated by a contaminated upgrade to the MeDoc tax software, allowing the attack to be carried out [Article 61132]. - The incident where the NHS was hit by malware could have been prevented by basic IT practices, as warnings were issued to NHS trusts to fix the bug in their Windows computers that later enabled the malware to spread [Article 63904]. - The incident involving the ransomware virus NotPetya, attributed to Russian military hackers, targeted computers in Ukraine and wiped data from various organizations, highlighting the software vulnerability [Article 67739]. |
| Objective (Malicious/Non-malicious) | malicious | (a) The software failure incident mentioned in the articles is malicious in nature. The incident involved the exploitation of a flaw in Microsoft's Windows software by hackers to carry out cyberattacks [2429, 31887, 59943, 61130, 61132, 62248, 67739, 83485, 84780]. (b) The incident was not non-malicious as it was a deliberate attack aimed at disrupting systems and causing harm rather than being accidental or unintentional. |
| Intent (Poor/Accidental Decisions) | poor_decisions | (a) The intent of the software failure incident: - The incident involving the malware attack, including NotPetya, was not intentional but rather a result of poor decisions and actions. The malware spread rapidly, affecting various organizations globally, including Mondelez, Merck, Maersk, and FedEx's European subsidiary [Article 83485]. - The failure was exacerbated by the lack of proper planning and communication at a local level in the NHS, leading to confusion and ineffective response during the cyber-attack [Article 63969]. - The attack on the NHS systems could have been prevented if security patches had been applied to protect the Windows 7 systems, as warnings had been issued by NHS Digital prior to the attack [Article 63969]. (b) The incident involving the malware attack, including NotPetya, was not accidental but rather a result of poor decisions and actions. The malware spread rapidly, affecting various organizations globally, including Mondelez, Merck, Maersk, and FedEx's European subsidiary [Article 83485]. - The failure was exacerbated by the lack of proper planning and communication at a local level in the NHS, leading to confusion and ineffective response during the cyber-attack [Article 63969]. - The attack on the NHS systems could have been prevented if security patches had been applied to protect the Windows 7 systems, as warnings had been issued by NHS Digital prior to the attack [Article 63969]. |
| Capability (Incompetence/Accidental) | development_incompetence, accidental | (a) The software failure incident related to development incompetence can be seen in the case of the flaw in Microsoft's Windows software that the NSA used to build a hacking tool, which was later leaked and exploited by hackers [Article 59943]. Additionally, the incident involving the MeDoc tax software being contaminated due to an upgrade by Intellect Service showcases a lack of professional competence in software development [Article 61132]. (b) Accidental software failure incidents are evident in the case of the malware attack that spread chaos worldwide, including the NotPetya attack, which was initially thought to be ransomware but was later believed to be designed to destroy data and targeted Ukraine [Article 61130]. Additionally, the incident where a cargo container's switchboard shut down due to ransomware finding its way onto the vessel highlights accidental vulnerabilities introduced through malware spreading between connected devices [Article 62248]. |
| Duration | temporary | (a) The software failure incident described in the articles was temporary. The incident caused disruptions and issues for various companies and organizations, such as Mondelez, Maersk, FedEx, and TNT Express, but efforts were made to restore IT operations and recover critical business data that was encrypted by the virus [61132, 61317, 61815, 62978]. (b) The software failure incident was also temporary as it was caused by specific circumstances such as a ransomware cyber-attack affecting multiple companies and organizations globally. Efforts were made to address the issues and restore systems impacted by the attack [60166, 83485, 117013]. |
| Behaviour | crash | (a) crash: The incident involving Mondelez resulted in their logistics software crashing, causing significant disruptions and financial losses [83485]. (b) omission: The WannaCry ransomware attack led to the cancellation of thousands of appointments in NHS organizations, affecting patient care and services [63969]. (c) timing: The NSA's "Secure the Net" initiative was found to have not fully met the intent of decreasing the risk of insider threats and data exfiltration, indicating a timing failure in implementing security improvements [60061]. (d) value: The flaw in Microsoft's Windows software allowed attackers to remotely take over and control computers, leading to potential malicious actions like keylogging and screen-grabbing, indicating a value failure in the system's intended functions [31887]. (e) byzantine: The malware incidents, including NotPetya, were designed to spread across networks, affecting various organizations and causing disruptions in operations, indicating a byzantine behavior with inconsistent responses and interactions [62248]. (f) other: The flaw in Microsoft Windows that allowed attackers to exploit SCADA software used in managing industrial infrastructures like power grids and manufacturing plants represents a critical security vulnerability not fitting into the defined categories [2429]. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | sensor, processing_unit, network_communication, embedded_software | (a) sensor: Failure due to contributing factors introduced by sensor error - The incident involving the Pennsylvania hospital operator, Heritage Valley Health System, reported its computer network was down, causing operations to be delayed, indicating a failure possibly related to sensor error [Article 60166]. (b) actuator: Failure due to contributing factors introduced by actuator error - There is no specific mention of an incident related to actuator error in the provided articles. (c) processing_unit: Failure due to contributing factors introduced by processing error - The incident involving the CIA attributing a cyberattack to Russian military hackers that crippled computers in Ukraine, using a mock ransomware virus dubbed NotPetya, could be related to a failure introduced by processing error [Article 67739]. (d) network_communication: Failure due to contributing factors introduced by network communication error - The incident in Baltimore, where the city struggled with a cyberattack that froze thousands of computers, disrupted services, and shut down email, could be related to a failure introduced by network communication error [Article 84780]. (e) embedded_software: Failure due to contributing factors introduced by embedded software error - The incident involving the critical infrastructure being at risk from a flaw in Microsoft Windows exploited by hackers could be related to a failure introduced by embedded software error [Article 2429]. |
| Communication | unknown | The software failure incidents mentioned in the articles do not provide specific details about whether the failures were related to the communication layer of the cyber physical system that failed. Therefore, it is unknown whether the failures were at the link_level or connectivity_level. |
| Application | TRUE | [2429, 31887, 59943, 60166, 61132, 62248, 63904, 63969, 67739, 83485, 84780, 117013] The software failure incidents described in the articles were related to the application layer of the cyber physical system. These incidents were caused by bugs, vulnerabilities, and flaws in the Microsoft Windows operating system that allowed attackers to remotely take control of computers, install malware, and exploit various loopholes in the Windows code. The failure was attributed to unpatched software, lack of timely application of security updates, and the presence of significant vulnerabilities in the operating system that were exploited by hackers. |
| Category | Option | Rationale |
|---|---|---|
| Consequence | harm, basic, property, delay, non-human, theoretical_consequence | (a) death: There is no mention of people losing their lives due to the software failure incidents in the provided articles. (b) harm: The articles mention physical harm to people due to the software failure incidents: - NHS England identified 6,912 appointments, including operations, that were canceled as a direct result of the ransomware attack [Article 63969]. - The cyberattack on Maersk led to the shutting down of some port terminals managed by its subsidiary APM, impacting operations [Article 62248]. (c) basic: People's access to food or shelter was impacted due to the software failure incidents: - The Cadbury factory in Tasmania, Australia, was affected by the cyberattack, which disrupted operations [Article 60166]. (d) property: People's material goods, money, or data were impacted due to the software failure incidents: - Mondelez suffered a financial hit of more than $100 million due to the cyberattack, including lost orders and equipment replacement costs [Article 83485]. - FedEx incurred revenue loss and additional costs from the cyberattack on TNT Express, with no insurance coverage for the impact [Article 61815]. (e) delay: People had to postpone activities due to the software failure incidents: - Heritage Valley Health System reported delays in operations due to its computer network being down [Article 60166]. (f) non-human: Non-human entities were impacted due to the software failure incidents: - Various companies and organizations, such as Mondelez, Maersk, WPP, Saint-Gobain, TNT, and FedEx, experienced disruptions and financial impacts due to the cyberattacks [Article 60166, Article 61317, Article 62248, Article 61815, Article 83485]. (g) no_consequence: There were no real observed consequences of the software failure incidents. (h) theoretical_consequence: There were potential consequences discussed of the software failure incidents that did not occur: - The articles discuss the potential financial impact and disruption caused by the cyberattacks on various companies [Article 61317, Article 83485]. - The articles mention the possibility of ransomware attacks or data theft occurring as a result of the security vulnerability in Microsoft's software [Article 117013]. (i) other: The articles do not mention any other specific consequences of the software failure incidents. |
| Domain | information, transportation, manufacturing, utilities, finance, health, other | (a) The failed system was related to the information industry as it impacted the production and distribution of information. The incident involved a software failure that targeted a shipping firm's computer systems, allowing attackers to access sensitive information and manipulate emails to redirect payments [62248]. (b) The transportation industry was affected by the software failure incident as well. The incident involved a cyber-attack on a global shipping conglomerate by pirates who aimed to identify vessels carrying specific cargo for seizure, disrupting the operations of a ship moored in Asia [62248]. (f) The manufacturing industry was significantly impacted by the software failure incident. Several manufacturing companies, including a Cadbury factory in Tasmania, a French construction materials company, and a Russian steel and oil firm, experienced disruptions due to the cyber-attack, leading to financial losses and operational delays [60166, 61317]. (g) The utilities industry was also affected by the software failure incident. The incident disrupted operations at a Pennsylvania hospital operator, causing delays, and impacted the operations of the Kiev metro system, which stopped accepting payment cards [60166]. (h) The finance industry was impacted by the software failure incident. The cyber-attack affected Mondelez, a US food giant, leading to financial losses exceeding $100 million and disrupting operations at banks, gas stations, and government agencies [61317, 83485]. (j) The health industry was affected by the software failure incident. The incident caused disruptions at a Pennsylvania hospital operator, Heritage Valley Health System, leading to delays in operations [60166]. (m) The software failure incident was related to other industries as well. The incident involved a cyber-attack that targeted a global shipping conglomerate, impacting its operations and highlighting vulnerabilities in the industry [62248]. |
Article ID: 60166
Article ID: 31887
Article ID: 59943
Article ID: 117013
Article ID: 67739
Article ID: 65148
Article ID: 60061
Article ID: 2429
Article ID: 63969
Article ID: 83485
Article ID: 64144
Article ID: 84780
Article ID: 62978
Article ID: 97422
Article ID: 60329
Article ID: 61815
Article ID: 61130
Article ID: 62248
Article ID: 63904
Article ID: 61132
Article ID: 61317