Incident: Title: Hack of Climatic Research Unit (CRU) Backup Server

Published Date: 2010-02-05

Postmortem Analysis
Timeline 1. The software failure incident happened in November 2009 [556].
System The software failure incident reported in Article 556 involved a hack of the Climatic Research Unit (CRU) at the University of East Anglia. The systems that failed in this incident were: 1. Climatic Research Unit (CRU) server at the University of East Anglia, which held backups of CRU emails and staff documents [556]. 2. RealClimate blog, which was hacked by the perpetrator to upload the archive of emails and documents [556]. 3. Backup mail server of CRU, which was hacked into by the perpetrator [556]. 4. UEA's system administrators' backup server holding CRU emails dating back to 1996, which was accessed by the hacker [556].
Responsible Organization 1. An outside hacker gained access to a server at the University of East Anglia (UEA) which held backups of CRU emails and staff documents, leading to the software failure incident [556].
Impacted Organization 1. Climatic Research Unit (CRU) at the University of East Anglia [556]
Software Causes 1. The software failure incident was caused by a hack carried out by an outside hacker who gained access to a server at the University of East Anglia (UEA) which held backups of CRU emails and staff documents [556]. 2. The hacker accessed the server over a period of days, if not weeks, from a computer based on the east coast of North America [556]. 3. The hacker broke into the RealClimate blog to upload the archive of hacked emails and documents, and when thwarted, uploaded it to a Russian website and posted links on climate sceptics' blogs using web servers located in Saudi Arabia and Turkey [556]. 4. The hacker targeted specific scientists at the CRU, including Phil Jones, Keith Briffa, Tim Osborn, and Mike Hulme, who were recipients or senders of the majority of the emails [556]. 5. The hacker obtained access to a backup server holding CRU emails dating back to 1996, indicating a breach in the UEA's system where emails from CRU staff's machines were backed up onto a server [556]. 6. The hacker created a zipped archive of emails and documents over a number of weeks, with bursts on specific dates, and added a folder of computer analysis code by Osborn to the package on 16 November [556]. 7. The hacker was able to hack into RealClimate's blog, locking out legitimate administrators, and attempted to create a blog post claiming that global warming was a myth [556].
Non-software Causes 1. Lack of transparency in releasing raw data and program code despite multiple freedom of information requests [556] 2. Accidental security breaches in the UEA system, such as misconfigured servers leaving vulnerabilities [556]
Impacts 1. The software failure incident led to a breach of the Climatic Research Unit (CRU) at the University of East Anglia, where an outside hacker gained access to a server containing backups of CRU emails and staff documents, leading to the release of sensitive information [556]. 2. The incident caused a significant impact on the reputation and credibility of the CRU scientists, particularly Phil Jones, Keith Briffa, Tim Osborn, and Mike Hulme, who were targeted by the hacker due to their high-profile scientific papers supporting the IPCC's reports on global warming [556]. 3. The failure resulted in a breach of data confidentiality, as the hacker accessed and released emails and documents dating back to 1996, indicating a compromise of the CRU's email backup server [556]. 4. The incident raised concerns about the security measures in place at the UEA, highlighting previous accidental security breaches and misconfigurations that could have facilitated the hacker's access to the system [556]. 5. The software failure incident sparked controversy and debate within the scientific community and among climate change skeptics, leading to questions about the motives of the hacker and the potential implications of the released information on climate change research [556].
Preventions 1. Implementing stricter access controls and monitoring on the server holding backups of sensitive data at the Climatic Research Unit (CRU) could have prevented the outside hacker from gaining unauthorized access [556]. 2. Regular security audits and vulnerability assessments on the CRU's systems could have identified and addressed any misconfigurations or weaknesses that could be exploited by hackers [556]. 3. Enhancing employee training on cybersecurity best practices, such as recognizing phishing attempts or social engineering tactics, could have reduced the likelihood of successful attacks targeting specific individuals within the organization [556]. 4. Enforcing a policy of regular data backups and secure storage practices could have mitigated the impact of the incident by ensuring that critical data is not solely stored on vulnerable servers [556].
Fixes 1. Enhancing cybersecurity measures to prevent unauthorized access to servers and backup systems, such as implementing stronger authentication protocols and regular security audits [556]. 2. Improving data protection practices, including encryption of sensitive information and regular backups with secure storage [556]. 3. Conducting thorough digital forensic investigations to identify the source of the hack and potential vulnerabilities in the system [556]. 4. Implementing stricter access controls and monitoring mechanisms to detect unusual activities on the network [556]. 5. Providing cybersecurity training to staff members to raise awareness about potential threats and best practices for maintaining data security [556].
References 1. Digital forensics experts 2. The Guardian 3. Sir David King 4. Jeff Condon 5. Gavin Schmidt

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization (a) The software failure incident related to the hack of the Climatic Research Unit (CRU) at the University of East Anglia is a unique incident that has not been reported to have happened again at the same organization [556]. (b) There is no information in the provided article about a similar incident happening at other organizations or with their products and services.
Phase (Design/Operation) design, operation (a) The software failure incident reported in Article 556 was primarily related to a hack of the Climatic Research Unit (CRU) at the University of East Anglia. The incident involved a breach of the CRU's server, leading to the release of hacked emails and documents. The breach was carried out by an outside hacker who gained access to a server at the UEA, which held backups of CRU emails and staff documents. The hacker's access occurred over a period of days, if not weeks, and was carried out from a computer based on the east coast of North America. The release of the hacked emails and documents was a result of the hacker gaining unauthorized access to the server, indicating a failure in the design and security measures of the system [556]. (b) The software failure incident also involved the operation of the system at the Climatic Research Unit. The hacker targeted specific scientists at the CRU, including Phil Jones, Keith Briffa, Tim Osborn, and Mike Hulme. The hacker had access to a backup server holding CRU emails dating back to 1996, indicating a breach in the operational security of the system. Additionally, the hacker attempted to create a blog post on RealClimate's blog, claiming that global warming was a myth, further highlighting the operational impact of the breach on legitimate administrators and users of the system [556].
Boundary (Internal/External) within_system, outside_system (a) within_system: The software failure incident reported in Article 556 was primarily within the system. The incident involved a hack of the Climatic Research Unit (CRU) at the University of East Anglia, where an outside hacker gained access to a server at the UEA which held backups of CRU emails and staff documents. The hacker was able to access a backup server holding CRU emails dating back to 1996, indicating a breach within the system's backup infrastructure. Additionally, the hacker managed to break into the RealClimate blog, which was likely connected to the CRU's systems, to upload the hacked archive and prepare a draft post [556]. (b) outside_system: The software failure incident also had elements originating from outside the system. The hack was carried out from a computer based on the east coast of North America, indicating an external source for the attack. Furthermore, the hacker uploaded the hacked archive to a Russian website and posted links on climate skeptic blogs using web servers located in Saudi Arabia and Turkey, demonstrating the involvement of external entities in the dissemination of the hacked information [556].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in Article 556 was primarily due to non-human actions, specifically a hack carried out by an outside hacker gaining access to a server at the University of East Anglia's Climatic Research Unit (CRU). The hacker accessed backups of CRU emails and staff documents over a period of days or weeks from a computer based on the east coast of North America. The hacker then released the hacked emails and documents by uploading them to a Russian website and posting links on climate skeptic blogs using web servers located in Saudi Arabia and Turkey. The incident involved digital forensic analysis to trace the actions of the hacker and the creation of a zipped archive of emails and documents over several weeks [556]. (b) While the software failure incident was primarily caused by non-human actions (the hack), human actions also played a role in the incident. The release of the emails and documents was preceded by climate change skeptics filing freedom of information requests querying the CRU's refusal to release raw data and program code. The refusal to release data and code by the CRU scientists mentioned in the article, such as Phil Jones and Keith Briffa, contributed to the frustration of those outside academia who wanted to repeat or discredit their work. Additionally, the actions of the hacker in targeting specific scientists and filtering the emails based on certain keywords suggest a level of human involvement in the incident [556].
Dimension (Hardware/Software) software (a) The software failure incident reported in Article 556 was not due to hardware issues but rather a hack that originated from an outside hacker gaining access to a server at the University of East Anglia (UEA) which held backups of CRU emails and staff documents. The hacker accessed the server over a period of days, if not weeks, from a computer based on the east coast of North America [556]. (b) The software failure incident in Article 556 was a result of a hack carried out by an outside hacker who gained access to the UEA server holding backups of CRU emails and staff documents. The hacker copied the files over a number of weeks, with bursts on specific dates, and also broke into the RealClimate blog to upload the archive and prepare a draft post. The incident involved digital forensic analysis of the zipped archive of emails and documents, indicating a deliberate and targeted effort to access specific information [556].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident reported in Article 556 was malicious in nature. The incident involved a hack of the Climatic Research Unit (CRU) at the University of East Anglia, where an outside hacker gained access to a server holding backups of CRU emails and staff documents. The hacker then released the hacked emails and documents, targeting specific scientists and filtering the content to focus on keywords related to climate research. The hack was described as a deliberate act carried out by a team of skilled professionals, possibly on behalf of a foreign government or anti-climate change lobbyists [556]. The incident involved unauthorized access, data theft, and manipulation of information with the intent to harm the reputation of the scientists and create controversy over climate change research.
Intent (Poor/Accidental Decisions) poor_decisions The intent of the software failure incident reported in Article 556 was related to poor_decisions. The incident involved a hack of the Climatic Research Unit (CRU) at the University of East Anglia, where the hacker gained access to a server holding backups of CRU emails and staff documents. The release of hacked emails and documents followed a series of freedom of information requests querying the CRU's refusal to release raw data and program code. The incident involved targeted filtering of emails and documents, indicating a deliberate effort to access specific information related to climate, research, and models. The hacker's actions, such as uploading the archive to a Russian website and posting links on climate skeptic blogs, suggest a strategic approach rather than accidental actions [556].
Capability (Incompetence/Accidental) development_incompetence, accidental (a) The software failure incident related to development incompetence is evident in the article as it discusses the lack of professional competence in handling the security of the Climatic Research Unit's (CRU) systems. The article mentions accidental security breaches at the University of East Anglia (UEA) due to misconfigurations, such as a server being wrongly configured, which allowed unauthorized access to directories of files [556]. (b) The software failure incident related to accidental factors is also highlighted in the article, where it mentions accidental security breaches that occurred at UEA due to misconfigurations in the system. These accidental misconfigurations left vulnerabilities that a determined hacker could exploit to gain access to sensitive data [556].
Duration temporary The software failure incident described in Article 556 was temporary. The incident involved a hack of the Climatic Research Unit (CRU) at the University of East Anglia, where an outside hacker gained access to a server holding backups of CRU emails and staff documents over a period of days, if not weeks. The hacker uploaded the stolen data to various platforms and attempted to create a blog post claiming that global warming was a myth. The incident involved multiple stages, including accessing the server, copying files over several weeks, and attempting to manipulate public perception by releasing selected information [556].
Behaviour crash, omission, other (a) crash: The software failure incident in the article can be associated with a crash as it involved a hack into the Climatic Research Unit's (CRU) backup mail server, which led to locking out legitimate administrators and an attempt to create a blog post claiming that global warming was a myth [556]. (b) omission: The software failure incident can also be linked to omission as the hacker targeted specific scientists at the CRU, filtering out routine administrative messages about fire alarms and holiday reminders, focusing on emails related to data, climate, research, temperature, and models [556]. (c) timing: The timing of the software failure incident is not directly related to the system performing its intended functions too late or too early. Instead, the incident involved a series of events over a period of weeks, including copying files on different dates and adding computer analysis code to the package on specific dates [556]. (d) value: The software failure incident does not align with a failure due to the system performing its intended functions incorrectly. The incident was more about gaining unauthorized access to data and documents rather than the system malfunctioning in its operations [556]. (e) byzantine: The software failure incident does not exhibit characteristics of a byzantine failure where the system behaves erroneously with inconsistent responses and interactions. The incident was more focused on targeted hacking and filtering of specific information rather than erratic behavior of the system [556]. (f) other: The other behavior exhibited in the software failure incident is related to deliberate hacking activities aimed at accessing specific data and documents, filtering out certain types of emails, and attempting to manipulate the narrative around global warming by posting misleading information on blogs. This behavior goes beyond a typical system failure and involves intentional cyber intrusion and manipulation [556].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, non-human, theoretical_consequence (a) unknown (b) unknown (c) unknown (d) The software failure incident resulted in the release of hacked emails and documents from the Climatic Research Unit (CRU) at the University of East Anglia, impacting the privacy and security of the individuals involved [556]. (e) unknown (f) The software failure incident impacted non-human entities, specifically the CRU's emails dating back to 1996 and a collection of staff documents that were accessed and released by the hacker [556]. (g) unknown (h) Theoretical consequences discussed included the potential motives of the hacker, such as being part of a team of skilled professionals working for a foreign government or anti-climate change lobbyists, as well as the potential surprise of igniting a controversy over techniques by the hacker [556]. (i) unknown
Domain knowledge The software failure incident reported in Article 556 is related to the industry of climate research and environmental science. The incident involved a hack of the Climatic Research Unit (CRU) at the University of East Anglia, which is a key institution in the field of climate research. The hacked system contained backups of CRU emails, staff documents, and climate data used for research on global warming and climate change. The incident specifically targeted scientists involved in climate modeling, data analysis, and research related to global warming, indicating its direct connection to the knowledge industry ([556]).

Sources

Back to List