Published Date: 2016-11-28
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident happened in November 2016. [50191, 49645, 49681] |
| System | 1. Routers used to access Deutsche Telekom internet service [50191, 49645, 49681] 2. Arcadyan routers [50191, 49681] |
| Responsible Organization | 1. Hackers using the Mirai botnet software were responsible for causing the software failure incident that infected nearly 1 million routers used to access Deutsche Telekom internet service [50191]. 2. The attack was designed to infect routers with malware but failed, causing crashes or restrictions for 4-5% of all routers, leading to the network outages [49645]. 3. Deutsche Telekom's head of IT Security mentioned that the disruptions were due to a failed hacking attempt to hijack consumer router devices for a wider internet attack, specifically trying to turn routers into a part of the Mirai botnet [49681]. |
| Impacted Organization | 1. Deutsche Telekom customers in Germany [50191, 49645, 49681] 2. German government networks [50191] |
| Software Causes | 1. The software cause of the failure incident was a cyber attack using the Mirai botnet that targeted routers used by Deutsche Telekom customers [50191, 49645, 49681]. 2. The attack aimed to infect routers with malware to turn them into remotely controlled "bots" for mounting large-scale attacks, disrupting internet service for users [50191, 49645, 49681]. 3. The attack exploited vulnerabilities in widely used routers, webcams, digital video recorders, and other web-connected devices [50191]. 4. The malware used in the attack sought out vulnerable connected devices globally, affecting countries like Brazil, Britain, Ireland, and Germany [50191]. 5. The software flaw allowed the attackers to attempt to hijack consumer routers for a wider internet attack, causing crashes or restrictions for a percentage of routers and leading to internet outages for Deutsche Telekom customers [49645, 49681]. |
| Non-software Causes | 1. The failure incident was caused by a cyber attack that infected nearly 1 million routers used to access Deutsche Telekom internet service, part of a campaign targeting web-connected devices globally [50191]. 2. The attack attempted to infect routers with malware, causing crashes or restrictions for 4-5% of all routers, leading to restricted use of Deutsche Telekom services for affected customers [49645]. 3. The disruptions were blamed on a failed hacking attempt to hijack consumer router devices for a wider internet attack, with the aim of turning routers into a part of the Mirai botnet [49681]. |
| Impacts | 1. Nearly 1 million routers used to access Deutsche Telekom internet service were infected, leading to internet outages for as many as 900,000 users, affecting about 4.5% of its fixed-line customers [50191, 49645, 49681]. 2. The attack attempted to infect routers with malware, causing crashes or restrictions for 4% to 5% of all routers [49645]. 3. The outages disrupted internet service for hundreds of thousands of Deutsche Telekom customers in Germany [49681]. 4. The attack was part of a global campaign targeting web-connected devices, spreading to countries like Brazil, Britain, and Ireland [50191]. 5. The software failure incident was attributed to a failed hacking attempt to hijack consumer router devices for a wider internet attack, potentially turning routers into a part of the Mirai botnet [49681]. 6. The incident led to disruptions in internet access and required customers to reboot their routers with a software update to fix the issue [49645]. 7. German Chancellor Angela Merkel warned that such attacks are becoming more common, and people should expect similar disruptions in the future [49645]. |
| Preventions | 1. Implementing timely software patches and updates to address vulnerabilities in routers and other web-connected devices could have prevented the software failure incident [50191, 49681]. 2. Enhancing network security measures and monitoring to detect and prevent cyber attacks targeting routers and other devices could have mitigated the impact of the incident [50191, 49681]. 3. Conducting regular security audits and assessments to identify and address potential weaknesses in the network infrastructure could have helped prevent the attack on Deutsche Telekom's routers [49681]. |
| Fixes | 1. Rolling out a software update to fix the issue and recommending customers to temporarily disconnect their routers from their power source to reboot them free of the malware [49645]. 2. Providing firmware updates to vulnerable router models to patch the software vulnerability [49681]. 3. Reviewing cooperation with the router manufacturer, in this case, Arcadyan Technology, to prevent future incidents [49681]. | References | 1. German Office for Information Security (BSI) [50191] 2. Deutsche Telekom [50191, 49645, 49681] 3. Security researchers [50191] 4. Rapid7 Inc [50191] 5. Eir [50191] 6. Vodafone Group Plc [50191] 7. Brazilian National Computer Emergency Response Team [50191] 8. Flashpoint [50191] 9. Arcadyan Technology [50191, 49681] 10. German Chancellor Angela Merkel [49645] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) The software failure incident having happened again at one_organization: Deutsche Telekom experienced a similar incident before, where a cyber attack attempted to infect routers with malware, causing crashes or restrictions for a percentage of routers and leading to restricted use of services for affected customers [49645]. This incident was linked to a failed hacking attempt to hijack consumer router devices for a wider internet attack, with the aim of turning routers into a part of the Mirai botnet [49681]. (b) The software failure incident having happened again at multiple_organization: The attack using the Mirai software to infect routers was not limited to Deutsche Telekom but also affected other organizations globally. Security researchers observed the attackers trying to infect routers in countries like Brazil, Britain, and Ireland [50191]. Additionally, Irish telecom operator Eir and Vodafone Group Plc in Britain were mentioned as using routers vulnerable to the same kind of attack [50191]. |
| Phase (Design/Operation) | design, operation | (a) The software failure incident related to the design phase can be seen in the articles. The incident was caused by a cyber attack that infected nearly 1 million routers used to access Deutsche Telekom internet service. The attack targeted web-connected devices globally, exploiting common vulnerabilities in widely used routers, webcams, digital video recorders, and other devices [50191]. The attack was aimed at turning routers into a part of the Mirai botnet, a malicious software designed to turn network devices into remotely controlled "bots" for large-scale attacks [49681]. (b) The software failure incident related to the operation phase is evident in the articles as well. The attack attempted to infect routers with malware, causing crashes or restrictions for 4% to 5% of all routers, leading to restricted use of Deutsche Telekom services for affected customers [49645]. The company recommended customers to temporarily disconnect their routers from the power source to reboot them free of the malware, indicating an operational response to mitigate the impact of the attack. |
| Boundary (Internal/External) | within_system, outside_system | (a) within_system: The software failure incident was primarily within the system, as it was caused by a cyber attack that attempted to infect routers with malware, leading to crashes or restrictions for a percentage of routers [49645]. The attack was aimed at turning routers into a part of the Mirai botnet, a malicious software that can control network devices remotely [49681]. Deutsche Telekom provided a software update to fix the issue and recommended customers to reboot their routers to remove the malware [49645]. (b) outside_system: The failure incident was also influenced by factors outside the system, as the cyber attack targeting routers was part of a global campaign aimed at web-connected devices around the world, exploiting common vulnerabilities in widely used routers, webcams, and other devices [50191]. The attack affected not only Deutsche Telekom customers in Germany but also users in countries like Brazil, Britain, and Ireland [50191]. The origin of the attack remained unknown, and German Chancellor Angela Merkel mentioned that such attacks are becoming a part of everyday life, indicating external threats that organizations need to adapt to [49645]. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident occurring due to non-human actions: - The software failure incident involving nearly 1 million routers used to access Deutsche Telekom internet service was part of a cyber attack campaign targeting web-connected devices globally [50191]. - The attack was launched with software known as Mirai, which seeks out vulnerable connected devices and turns them into remotely controlled "bots" for large-scale attacks that disrupt access to websites and computer systems [50191]. - The attack attempted to infect routers with malware but failed, causing crashes or restrictions for a percentage of routers, leading to restricted use of Deutsche Telekom services for affected customers [49645]. - The attack was designed to quietly recruit devices for a wider offensive, and it was the second large-scale attack on internet-connected devices in little more than a month [49645]. - Security experts mentioned that the Mirai software used in the attacks is relatively easy to use, allowing hackers with few technical skills to be responsible for follow-on attacks [50191]. (b) The software failure incident occurring due to human actions: - A Deutsche Telekom executive blamed the disruptions on a failed hacking attempt to hijack consumer router devices for a wider internet attack, indicating human involvement in the incident [49681]. - The attempt was to turn a significant number of customers' routers into a part of the Mirai botnet, which is malicious software designed to turn network devices into remotely controlled "bots" for large-scale network attacks [49681]. - The company offered firmware updates for routers made by Taiwan's Arcadyan Technology, indicating a need for human intervention to address the vulnerabilities in the devices [49681]. |
| Dimension (Hardware/Software) | hardware, software | (a) The software failure incident occurring due to hardware: - The incident involving nearly 1 million routers being infected and causing internet outages at Deutsche Telekom was attributed to a failed hacking attempt to hijack consumer router devices for a wider internet attack. This attempt was aimed at recruiting devices for a larger offensive, indicating a hardware-related issue with the routers themselves [49681]. - The attack targeted routers from various manufacturers, including those vulnerable to the Mirai software, which turns network devices into remotely controlled bots. This indicates a hardware vulnerability in the routers that allowed them to be compromised [50191]. (b) The software failure incident occurring due to software: - The software used in the attacks was identified as Mirai, which seeks out vulnerable connected devices and turns them into remotely controlled bots for large-scale attacks. This software was responsible for the disruptions in internet service by exploiting vulnerabilities in routers and other web-connected devices [50191]. - The failed attempt to infect routers with malware, which caused crashes and restrictions for a percentage of routers, points to a software-related issue in the attack strategy employed by the hackers [49645]. |
| Objective (Malicious/Non-malicious) | malicious | (a) The software failure incident was malicious in nature. The incident involved a cyber attack using the Mirai botnet software to infect nearly 1 million routers used by Deutsche Telekom customers, aiming to turn them into remotely controlled "bots" for large-scale attacks [50191]. The attack was part of a campaign targeting web-connected devices globally, with the objective of disrupting internet service by exploiting vulnerabilities in routers and other devices [50191]. The attack was described as an attempt to hijack consumer routers for a wider internet attack, indicating malicious intent to disrupt services and potentially recruit devices for future offensive actions [49681]. (b) The software failure incident was non-malicious. The incident resulted in network outages affecting hundreds of thousands of Deutsche Telekom customers in Germany, with around 900,000 users experiencing internet disruptions [49645, 49681]. The attack was characterized as a failed attempt to infect routers with malware, which caused crashes or restrictions for a percentage of routers, leading to restricted use of Deutsche Telekom services for affected customers [49645]. The company responded by rolling out a software update to fix the issue and recommended customers to reboot their routers to remove the malware [49645]. |
| Intent (Poor/Accidental Decisions) | poor_decisions | (a) The intent of the software failure incident was related to poor_decisions. The incident involved a cyber attack that targeted routers used by Deutsche Telekom customers, aiming to infect them with malware to turn them into part of the Mirai botnet for large-scale attacks [50191, 49645, 49681]. The attack was described as a failed attempt to hijack consumer routers, which caused crashes or restrictions for a percentage of routers, leading to internet outages for around 900,000 customers [49645]. The attack was attributed to a botched attempt to turn routers into part of the Mirai botnet, indicating a deliberate and malicious intent behind the incident [49681]. |
| Capability (Incompetence/Accidental) | development_incompetence | (a) The software failure incident related to development incompetence is evident in the articles. The incident involved a cyber attack that infected nearly 1 million routers used to access Deutsche Telekom internet service. Security researchers highlighted that the infections spread to countries including Brazil, Britain, and Ireland using a technique similar to one that stopped millions of people in the United States and Europe from reaching websites on Oct. 21 [50191]. Additionally, Deutsche Telekom's head of IT Security mentioned that the outages appeared to be tied to a botched attempt to turn a sizeable number of customers’ routers into a part of the Mirai botnet, indicating a failure in preventing such attacks [49681]. (b) The software failure incident related to accidental factors is also present in the articles. The attack attempted to infect routers with malware but failed, causing crashes or restrictions for 4% to 5% of all routers, leading to restricted use of Deutsche Telekom services for affected customers [49645]. German Chancellor Angela Merkel mentioned that the origin of the attack remains unknown as investigators continue to examine the incident, indicating an accidental nature of the attack [49645]. |
| Duration | temporary | The software failure incident reported in the news articles was temporary. The incident caused network outages for Deutsche Telekom customers in Germany, affecting around 900,000 users initially [49681]. The attack attempted to infect routers with malware, leading to crashes or restrictions for 4% to 5% of all routers [49645]. The company rolled out a software update to fix the issue and recommended customers to reboot their routers to remove the malware [49645]. The German government and security researchers identified the attack as part of a campaign targeting web-connected devices globally, including routers, webcams, and digital video recorders [50191]. The attack was attributed to the Mirai botnet software, which turns vulnerable devices into remotely controlled bots for large-scale attacks [50191]. |
| Behaviour | crash, omission, other | (a) crash: - The software failure incident in the articles can be categorized as a crash as it led to network outages affecting nearly 900,000 Deutsche Telekom customers, causing disruptions in internet service [49645, 49681]. - The attack attempted to infect routers with malware, which failed and resulted in crashes or restrictions for a percentage of routers [49645]. (b) omission: - The software failure incident can also be linked to omission as the attack aimed to turn routers into a part of the Mirai botnet, which would have led to the omission of performing their intended functions correctly [49681]. (c) timing: - Timing issues are not explicitly mentioned in the articles regarding the software failure incident. (d) value: - The software failure incident does not directly relate to the system performing its intended functions incorrectly. (e) byzantine: - The software failure incident does not exhibit characteristics of a byzantine failure. (f) other: - The other behavior exhibited in this software failure incident is the attempt to hijack consumer routers for a wider internet attack, which can be categorized as a deliberate malicious action beyond the typical failure modes [49681]. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | None | None |
| Communication | None | None |
| Application | None | None |
| Category | Option | Rationale |
|---|---|---|
| Consequence | property, delay, non-human, other | (a) death: People lost their lives due to the software failure - No information about any deaths resulting from the software failure incident was mentioned in the articles [49681, 50191]. (b) harm: People were physically harmed due to the software failure - No information about physical harm to individuals due to the software failure incident was provided in the articles [49681, 50191]. (c) basic: People's access to food or shelter was impacted because of the software failure - No information about people's access to food or shelter being impacted due to the software failure incident was mentioned in the articles [49681, 50191]. (d) property: People's material goods, money, or data was impacted due to the software failure - The software failure incident led to internet outages affecting around 900,000 Deutsche Telekom customers, which could have impacted their ability to conduct online transactions, access services, or communicate [49645, 49681, 50191]. (e) delay: People had to postpone an activity due to the software failure - The internet outages caused by the software failure incident could have potentially led to delays in online activities for the affected customers [49645, 49681, 50191]. (f) non-human: Non-human entities were impacted due to the software failure - The software failure incident targeted routers and web-connected devices, turning them into remotely controlled "bots" for large-scale attacks, impacting the functionality of these devices [49645, 49681, 50191]. (g) no_consequence: There were no real observed consequences of the software failure - The software failure incident resulted in actual consequences such as internet outages for Deutsche Telekom customers, indicating there were observed consequences [49645, 49681, 50191]. (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The articles did not mention any potential consequences discussed that did not actually occur as a result of the software failure incident [49645, 49681, 50191]. (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - The software failure incident caused disruptions in internet service for Deutsche Telekom customers, potentially affecting their daily routines, work, and communication abilities [49645, 49681, 50191]. |
| Domain | information, finance, other | (a) The software failure incident affected the information industry as it disrupted internet service for nearly 1 million routers used to access Deutsche Telekom internet service [50191]. (h) The incident also impacted the finance industry as it mentioned that Vodafone was aware of a vulnerability in routers that could enable attackers to mount denial-of-service attacks, potentially affecting financial transactions and services [50191]. (m) The incident could be related to other industries as well, such as telecommunications and technology, given that it involved a cyber attack targeting web-connected devices globally, not limited to a specific industry [50191, 49645, 49681]. |
Article ID: 50191
Article ID: 49645
Article ID: 49681