Published Date: 2016-11-28
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident involving the San Francisco Municipal Transportation Agency (SFMTA) happened over the weekend, specifically on a Friday, as mentioned in Article 49728. 2. Published date of Article 49728: 2016-11-28 3. Estimated timeline of the incident: November 2016 |
| System | 1. San Francisco Municipal Transportation Agency's computer systems [49568, 49782, 49728] 2. Operational and worker machines of the MTA [49568] 3. Payment services of the MTA [49568] 4. Email system of the MTA [49728] 5. Payment kiosks of the MTA [49782] |
| Responsible Organization | 1. Hackers using a variant of the HDDCryptor malware were responsible for causing the software failure incident by infecting and taking over more than 2,000 computers used to operate San Francisco’s public transport system [49568]. 2. The hacker or hackers calling themselves "Andy Saolis" attempted to extort about $73,000 from the SF Municipal Transportation Agency in exchange for giving back control of its computer systems [49782]. 3. The person behind the attack, identified as "Andy Saolis," claimed responsibility for the attack and demanded ransom from the SF Municipal Transportation Agency [49782]. 4. The hacker, known as "Andy Saolis," gloated about compromising Muni systems and claimed to have stolen data from Muni employees, customers, and technical systems [49782]. 5. The hacker, "Andy Saolis," who demanded ransom in Bitcoin and claimed responsibility for the attack, was based in Iran according to cybersecurity experts [49782]. |
| Impacted Organization | 1. San Francisco Municipal Transportation Agency (SFMTA) - The SFMTA's operational and worker machines were affected, disrupting email and payment services [49568, 49782]. 2. Customers of the San Francisco public transport system - The incident led to the opening of fare gates and allowing passengers to ride for free [49568, 49728]. |
| Software Causes | 1. Ransomware attack using a variant of the HDDCryptor malware infected and encrypted data on 2,112 computers used by San Francisco's public transport system, leading to a system takeover and demand for ransom in Bitcoin [49568]. 2. The attack involved the use of ransomware that spread through infected email attachments or downloaded files, encrypting data on storage drives and displaying a ransom note demanding payment for decryption [49568]. 3. The ransomware attack disrupted email and payment services but did not affect core operations, allowing trains to continue running without payment [49568]. 4. The attack did not directly impact transit services but locked out some Muni personnel from their workstation computers and left the agency without access to some systems over the weekend [49782]. 5. The hacker claimed to have stolen data, including employee, customer, and technical information, and hacked payment kiosks, although Muni denied that customer payment systems were hacked and no data was accessed from their servers [49782]. 6. The ransomware attack targeted Muni's systems through malicious links in pop-up ads, with the hacker demanding 100 Bitcoin in ransom for decrypting the systems [49782]. 7. Muni was able to restore its systems from backup copies of data, indicating the importance of regular backups in mitigating the impact of ransomware attacks [49782]. |
| Non-software Causes | 1. Lack of IT security upgrades and investment in IT security by the SF Municipal Transportation Agency (MTA) [49568, 49782, 49728] 2. Aging and underfunded public transit systems in the U.S. [49728] 3. Vulnerability of public transit systems to cyberattacks due to complex and interconnected control and management systems [49728] |
| Impacts | 1. The software failure incident led to the infection and takeover of more than 2,000 computers used to operate San Francisco’s public transport system, forcing the Municipal Transportation Agency (MTA) to open the gates and allow passengers to ride for free [49568]. 2. The ransomware attack disrupted the MTA's operational and worker machines, affecting email and payment services, but not core operations, allowing trains to continue running without payment [49568]. 3. The incident resulted in a loss of revenue for Muni as they had to give away free rides over the weekend, but they did not pay the ransom demanded by the hackers [49782]. 4. The hackers claimed to have encrypted all data on the infected computers, displaying a ransom note demanding 100 bitcoin for decryption [49568]. 5. The attack did not directly affect transit service in San Francisco but locked out some Muni personnel from their workstation computers and left the agency without access to some systems over the weekend [49782]. 6. The incident highlighted the vulnerability of public transportation systems to cyberattacks and the potential for more severe attacks in the future [49728]. |
| Preventions | 1. Implementing robust cybersecurity measures such as firewalls, email scanning, software updates, and network security protocols could have prevented the software failure incident [49728]. 2. Keeping business-side networks separate from control networks to minimize the impact of potential cyber attacks [49728]. 3. Regularly reviewing and updating procedures for handling cyber attacks, as well as training employees to recognize and respond to such incidents [49728]. 4. Ensuring physical security of facilities to prevent unauthorized access to critical systems [49728]. |
| Fixes | 1. Implementing multilayered network security measures, including firewalls, email scanning, software updates, and other tools to protect against cyber attacks [49728]. 2. Separating business-side networks from control networks to prevent unauthorized access to critical systems [49728]. 3. Developing and regularly updating procedures for responding to cyber attacks, as well as training employees to recognize and address such incidents [49728]. 4. Ensuring physical security of facilities to prevent unauthorized access to critical infrastructure [49728]. | References | 1. The Municipal Transportation Agency (MTA) spokesperson [49568] 2. The hackers who conducted the attack [49568, 49782] 3. Cybersecurity experts who analyzed the attack [49782] 4. Saolis, the hacker behind the attack [49782] 5. Security writers Brian Krebs and Thomas Fox-Brewster [49782] 6. American Public Transportation Association [49728] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) The software failure incident having happened again at one_organization: The San Francisco Municipal Transportation Agency (SFMTA) experienced a ransomware attack where hackers infected their computers and demanded a ransom in exchange for decrypting the data. This incident is similar to a previous attack on the Hollywood Presbyterian Medical Centre in Los Angeles in February, which also fell victim to ransomware [49568, 49782]. (b) The software failure incident having happened again at multiple_organization: The articles mention that the SFMTA is not the first public sector institution or company to be hit by ransomware. In 2013, the Cryptolocker ransomware infected an estimated 234,000 computers, including at least 50,000 in the UK, and required a global police operation to neutralize it. This indicates that ransomware attacks have affected multiple organizations globally [49568]. |
| Phase (Design/Operation) | design, operation | (a) The software failure incident in the articles was primarily due to the design phase. The incident involved hackers infecting and taking over more than 2,000 computers used to operate San Francisco’s public transport system by using a variant of the HDDCryptor malware to encrypt their data and hold them to ransom [49568, 49782]. The attack exploited vulnerabilities in the system design, allowing the malware to spread and encrypt data, impacting the operational and worker machines, disrupting email and payment services. (b) The software failure incident also had elements related to the operation phase. Despite the attack disrupting email and payment services, the core operations of the Municipal Transportation Agency (MTA) were not affected, allowing trains to continue running without payment [49568]. Additionally, the agency took precautions such as opening fare gates to minimize customer impact, indicating operational responses to mitigate the effects of the attack. |
| Boundary (Internal/External) | within_system, outside_system | (a) within_system: The software failure incident involving the San Francisco Municipal Transportation Agency (SFMTA) was primarily caused by factors originating from within the system. The incident was a result of hackers infecting and taking over more than 2,000 computers used by the SFMTA to operate the public transport system [49568]. The attackers used ransomware to encrypt the data on the computers, disrupting email and payment services but not core operations, allowing trains to continue running without payment [49568]. The ransomware attack directly impacted the SFMTA's operational and worker machines, leading to the display of ransom notes on the infected computers [49568]. Additionally, the incident involved the compromise of Muni's computer systems, with the hacker demanding a ransom in exchange for giving back control of the systems [49782]. (b) outside_system: The software failure incident also had contributing factors originating from outside the system. The attack on the SFMTA's computer systems was initiated by external hackers who managed to infect the computers with ransomware, encrypting the data and demanding a ransom for decryption [49568]. The hackers used a variant of the HDDCryptor malware to infect the computers, indicating an external source of the malicious software [49568]. Furthermore, the incident involved hackers attempting to extort money from the transit service, highlighting the external threat posed by cybercriminals targeting public services [49782]. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident occurring due to non-human actions: - The software failure incident in San Francisco's public transport system was caused by hackers who managed to infect and take over more than 2,000 computers using a variant of the HDDCryptor malware [49568]. - The ransomware infected the computers, encrypting their data and preventing them from operating normally, leading to a ransom demand of 100 bitcoin [49568]. - The ransomware typically spreads through infected email attachments or downloaded files, encrypting data and displaying a ransom note promising decryption in exchange for money [49568]. - The attack did not directly impact the transit service as trains continued running without payment, but it disrupted email and payment services [49568]. - The hackers behind the attack claimed that the software worked automatically and infected 2,000 servers/PCs in the SFMTA network [49568]. (b) The software failure incident occurring due to human actions: - The SF Municipal Transportation Agency fell victim to a hacking attack where the hacker demanded a ransom of about $73,000 in exchange for giving back control of its computer systems [49782]. - The agency refused to pay the ransom and instead restored its systems with the help of its internal tech team [49782]. - Cybersecurity experts ended up hacking the transit hacker, accessing servers and emails used by the attacker and sharing information with reporters [49782]. - The hacker, using the pseudonym Andy Saolis, claimed to have stolen data and hacked payment kiosks, highlighting vulnerabilities in the agency's cybersecurity [49782]. - The hacker gloated about compromising Muni systems and criticized the agency for not investing in IT security and using old systems [49782]. |
| Dimension (Hardware/Software) | hardware, software | (a) The software failure incident occurring due to hardware: - The incident involved hackers infecting and taking over more than 2,000 computers used to operate San Francisco’s public transport system by using a variant of the HDDCryptor malware to encrypt their data [49568]. - The attack disrupted email and payment services but did not affect core operations, allowing trains to continue running without payment [49568]. - The hacker claimed to have stolen 30 gigabytes of Muni employee, customer, and technical data, in addition to hacking payment kiosks [49782]. (b) The software failure incident occurring due to software: - The incident involved ransomware infecting the computers and encrypting all the data on their storage drives, spreading through any vulnerable connected computers [49568]. - The ransomware attack demanded 100 bitcoin in ransom to decrypt and release the data [49568]. - The attack was a ransomware attack where the hacker demanded a ransom in return for decrypting the agency's systems [49782]. - The attack was described as a ransomware attack that typically starts when someone opens an infected email attachment or downloaded file, spreading through computer networks [49782]. - The attack was a ransomware attack that encrypted data on the infected computers and displayed a ransom note promising to decrypt the data in exchange for money [49782]. - The attack was a ransomware attack that spread through links in pop-up ads [49782]. - The attack was a ransomware attack that did not directly affect transit service but locked out some Muni personnel from their workstation computers and left the agency without access to some systems over the weekend [49782]. - The attack was a ransomware attack that was described as a sophisticated attack impacting control systems and impeding the ability to restore them [49728]. |
| Objective (Malicious/Non-malicious) | malicious | (a) The software failure incident in the articles was malicious. The incident involved hackers infecting and taking over more than 2,000 computers used to operate San Francisco’s public transport system using ransomware, encrypting the data and demanding a ransom in exchange for decrypting the systems [49568, 49782, 49728]. The attackers used a variant of the HDDCryptor malware to infect the computers and left ransom notes on the screens of the infected computers [49568]. The hackers demanded 100 bitcoins as ransom, equivalent to £58,514 or $73,086 [49568, 49782]. The incident disrupted the email and payment services of the Municipal Transportation Agency (MTA) but did not impact the core operations of the transit service [49568]. The hackers claimed that the SFMTA network was very open and that they infected 2,000 servers/PCs automatically without a targeted attack [49568]. The incident involved extortion and the threat of data encryption unless the ransom was paid [49568, 49782, 49728]. (b) The software failure incident was non-malicious. The incident was not caused by unintentional errors or faults but rather by a deliberate attack by hackers with the intent to harm the system and extort money from the transit agency [49568, 49782, 49728]. The attack was described as a hacking attack aimed at extorting money from the transit service in exchange for giving back control of its computer systems [49782]. The incident involved a ransomware infection that encrypted the data on the systems, preventing normal operation until the ransom was paid [49568, 49782, 49728]. The attack was not accidental but a deliberate act by the hackers to disrupt the operations of the transit agency and demand payment for restoring access to the systems [49568, 49782, 49728]. |
| Intent (Poor/Accidental Decisions) | poor_decisions | (a) The intent of the software failure incident related to poor_decisions: - The software failure incident involving the San Francisco Municipal Transportation Agency (SFMTA) was a result of poor decisions made in terms of IT security and system maintenance. The agency was targeted by hackers who infected over 2,000 computers with ransomware, demanding a ransom of 100 bitcoin [49568, 49782]. - The hacker, known as "Andy Saolis," criticized the agency for not paying attention to IT security and using very old systems, implying negligence on the part of the SFMTA in prioritizing cybersecurity measures [49782]. - The attack highlighted the vulnerability of public transit systems to cyber threats due to inadequate investment in IT security upgrades and lack of attention to cybersecurity risks [49728]. (b) The intent of the software failure incident related to accidental_decisions: - The software failure incident was not accidental but a deliberate attack orchestrated by hackers who infected the SFMTA's computers with ransomware, encrypting data and demanding a ransom [49568, 49782]. - The hacker behind the attack, "Andy Saolis," claimed responsibility for compromising Muni systems and demanded a ransom in exchange for decrypting the agency's systems, indicating a deliberate and malicious intent [49782]. - The attack on the SFMTA's computer systems was a targeted and intentional act by cybercriminals, rather than a result of accidental decisions or unintended consequences [49568, 49782]. |
| Capability (Incompetence/Accidental) | development_incompetence | (a) The software failure incident occurring due to development incompetence: - The incident was caused by hackers who managed to infect and take over more than 2,000 computers used to operate San Francisco’s public transport system [49568]. - The attackers used a variant of the HDDCryptor malware to infect the computers, encrypting their data and preventing them from operating normally [49568]. - The hackers demanded a ransom of 100 bitcoin (£58,514, $73,086) to release the encrypted data [49568]. - The incident disrupted email and payment services but did not affect core operations, allowing trains to continue running without payment [49568]. - The hackers claimed that the SFMTA network was very open and that 2,000 servers/PCs were infected by their software [49568]. - The incident highlighted the vulnerability of public sector institutions and companies to ransomware attacks [49568]. (b) The software failure incident occurring accidentally: - The incident was a deliberate hacking attack by someone or some group trying to extort about $73,000 from the SF Municipal Transportation Agency [49782]. - The agency did not pay the ransom demanded by the hacker or hackers, and instead, restored its systems with the help of its internal tech team [49782]. - Cybersecurity experts ended up hacking the transit hacker, gaining access to the servers and emails used by the attackers [49782]. - The hacker, known as "Andy Saolis," claimed to have stolen data and hacked payment kiosks, but the agency stated that no customer data was stolen and no data was accessed from their servers [49782]. - The incident did not directly affect transit service in San Francisco but disrupted some Muni personnel from accessing their workstation computers and some systems over the weekend [49782]. - The hacker gloated about compromising Muni systems and criticized the agency for not paying attention to IT security and using old systems [49782]. |
| Duration | temporary | (a) The software failure incident in the articles was temporary. The incident lasted for three days, starting on Friday and plaguing the agency until Sunday night. During this time, the hackers had control over Muni's computer systems and demanded a ransom of 100 bitcoins. However, Muni was able to restore its systems from backup copies of its data, indicating that the failure was temporary and the agency regained control after three days [49782]. (b) The software failure incident could have been permanent if Muni hadn't been able to restore its systems from backup copies of its data. The attack could have been "far worse" if Muni had not been able to recover its systems, potentially leading to a more prolonged and severe impact on the agency's operations [49782]. |
| Behaviour | crash, value, other | (a) crash: The software failure incident described in the articles can be categorized as a crash. The incident involved hackers infecting and taking over more than 2,000 computers used to operate San Francisco’s public transport system, encrypting their data and preventing them from operating normally, which led to the Municipal Transportation Agency (MTA) opening the gates and allowing passengers to ride for free [49568]. (b) omission: The software failure incident did not involve omission as the system was not described as omitting to perform its intended functions at any instance. (c) timing: The software failure incident did not involve timing issues as the system was not described as performing its intended functions too late or too early. (d) value: The software failure incident did involve a failure related to the system performing its intended functions incorrectly. The hackers infected the computers, encrypted the data, and demanded a ransom in exchange for decrypting the data, which disrupted email and payment services but did not affect core operations like train services [49568, 49782]. (e) byzantine: The software failure incident did not involve a byzantine failure as the system did not exhibit inconsistent responses or interactions. (f) other: The other behavior exhibited in this software failure incident is related to a security breach and ransomware attack. The hackers took control of the computers, encrypted the data, and demanded a ransom for decryption, leading to disruptions in services and operations [49568, 49782, 49728]. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | None | None |
| Communication | None | None |
| Application | None | None |
| Category | Option | Rationale |
|---|---|---|
| Consequence | property, non-human, theoretical_consequence | (a) death: People lost their lives due to the software failure - No information about any deaths caused by the software failure incident was mentioned in the articles [49568, 49782, 49728]. (b) harm: People were physically harmed due to the software failure - No information about physical harm to individuals due to the software failure incident was provided in the articles [49568, 49782, 49728]. (c) basic: People's access to food or shelter was impacted because of the software failure - No information about people's access to food or shelter being impacted due to the software failure incident was discussed in the articles [49568, 49782, 49728]. (d) property: People's material goods, money, or data was impacted due to the software failure - The software failure incident resulted in the encryption of data on the affected computers, disrupting email and payment services [49568, 49782, 49728]. (e) delay: People had to postpone an activity due to the software failure - The software failure incident did not lead to any specific mention of people having to postpone activities due to the incident [49568, 49782, 49728]. (f) non-human: Non-human entities were impacted due to the software failure - The software failure incident impacted the operational and worker machines of the MTA, disrupting email and payment services [49568, 49782, 49728]. (g) no_consequence: There were no real observed consequences of the software failure - The software failure incident had observable consequences such as the disruption of email and payment services, encryption of data, and the need to open fare gates [49568, 49782, 49728]. (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The potential consequences discussed included the possibility of attacks on government-run infrastructure becoming more dangerous and the risks associated with cyberattacks on public transit systems [49782, 49728]. (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - No other specific consequences of the software failure incident were mentioned in the articles [49568, 49782, 49728]. |
| Domain | information, transportation, government | (a) The software failure incident reported in the articles is related to the information industry as it affected the San Francisco Municipal Transportation Agency's computer systems used for operational purposes [49568, 49782, 49728]. (l) The failed system was intended to support the government industry as it impacted the San Francisco Municipal Transportation Agency, a public sector institution responsible for operating the city's public transport system [49568, 49782, 49728]. |
Article ID: 49568
Article ID: 49782
Article ID: 49728