Thu 25 Jul 2024

 

2024 newspaper of the year

@ Contact us

What is CrowdStrike? How a faulty update caused the global IT outage

Airports, the NHS, rail companies and retailers have all been hit by a major global IT breakdown

Businesses and key services across the globe have been hit by a major IT breakdown, taking them offline.

The breakdown has been caused by a faulty update to widely used cyber security software developed by a company called CrowdStrike.

It has led to travel chaos at airports across the world, with Gatwick, Stansted, Luton and Edinburgh among those affected in the UK. Ryanair, KLM and other major airlines have seen flights disrupted, while in the US American Airlines and United have grounded flights completely. More than 1,000 flights had been cancelled globally as of 10.30am.

GP surgeries have been hit. Practices that use the affected IT systems have said they can do very little and are unable to function as normal, while patients have reported being unable to get prescriptions issued or access their medical history.

Multiple train operators, including Avanti West Coast, Great Western Railway and Great Northern, are being affected by last-minute delays and cancellations, and retailers such as Morrisons and Gail’s have experienced issues with payments.

TV channels have also been hit, with Sky News going off air for several hours.

The issue has been “identified, isolated and a fix has been deployed”, George Kurtz, CEO of CrowdStrike, said in a statement.

What is CrowdStrike?

CrowdStrike provides cyber attack monitoring and protection to many major businesses.

The company, which was founded by current CEO George Kurtz in 2011, has been involved in investigations of several high-profile cyber attacks, including 2014’s attack on Sony Pictures and the 2015-16 hits on the Democratic National Committee.

It is based in Austin, Texas, has almost 8,500 employees, and is on track to bring in more than $3bn in revenue in 2024.

Falcon Sensor is the name of CrowdStrike’s software designed to prevent computer systems from cyber attacks, and is reportedly at fault for Friday’s outage.

How is CrowdStrike involved in the global IT outage?

Microsoft laptops and PCs stopped working and displayed what is known as the ‘Blue Screen of Death’ (BSOD) where the screen literally goes blue and shows an error message. It prevented users from accessing their systems.

CrowdStrike’s Falcon Sensor program appears to be at the root of the issue. The company describes it as a product “purpose-built to stop breaches via a unified set of cloud-delivered technologies that prevent all types of attacks — including malware and much more”.

For the cybersecurity system to work it needs to interact with the IT systems’ operating system.

It is understood the Falcon Sensor update was misconfigured for systems that used Windows, with Mac and Linux hosts unaffected. Microsoft issued a statement on Friday morning confirming it was continuing to address the “lingering impact” of its 365 applications.

“Companies spend a lot of time, money and effort on both sides of that equation to make sure that they’re compatible,” Ciaran Martin, former Head of the National Cyber Security Centre – part of GCHQ – told the BBC. “When you’re deploying these things. You have to make sure you don’t destabilise other parts of the network and most of the time that works.

“Occasionally, it doesn’t. It appears that that’s not the case. It’s very rare to be as serious as this.”

IT workers across the world were trying to share fixes and troubleshoot specific workarounds on social media.

Calls to CrowdStrike’s technical support phone line are being met with a recorded message which said it was “aware of reports of crashes on Windows relating to the Falcon Sensor”.

Mr Kurtz said on X at 10.45am: “CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts. Mac and Linux hosts are not impacted. This is not a security incident or cyberattack.

“The issue has been identified, isolated and a fix has been deployed. We refer customers to the support portal for the latest updates and will continue to provide complete and continuous updates on our website. We further recommend organisations ensure they’re communicating with CrowdStrike representatives through official channels. Our team is fully mobilised to ensure the security and stability of CrowdStrike customers.”

In a statement, Microsoft said: “We have been made aware of an issue impacting virtual machines running Windows, running the CrowdStrike Falcon agent, which may encounter a bug check (blue screen of death) and get stuck in a restarting state.

“We are aware of this issue and are currently investigating potential options Azure customers can take for mitigation.”

Cyber security experts said that the widespread access CrowdStrike’s Falcon Sensor had to business systems meant an issue with the platform would have widespread effects.

Toby Murray, associate professor in the School of Computing and Information Systems at the University of Melbourne, said: “CrowdStrike Falcon has been linked to this widespread outage. CrowdStrike is a global cyber security and threat intelligence company.

“Falcon is what is known as an Endpoint Detection and Response (EDR) platform, which monitors the computers that it is installed on to detect intrusions – hacks – and respond to them. That means that Falcon is a pretty privileged piece of software in that it is able to influence how the computers it is installed on behave.

“For example, if it detects that a computer is infected with malware that is causing the computer to communicate with an attacker, then Falcon could conceivably block that communication from occurring. If Falcon is suffering a malfunction then it could be causing a widespread outage for two reasons – one: Falcon is widely deployed on many computers, and two: because of Falcon’s privileged nature.

“Falcon is a bit like anti-virus software: it is regularly updated with information about the latest online threats – so it can better detect them. We have certainly seen anti-virus updates in the past causing problems.”

Could an outage this large be caused by a hacker?

Earlier this year, Microsoft disclosed Russian state-backed hackers gained access to some of the company’s core software systems. Microsoft believes that the hackers accessed “some of the company’s source code repositories and internal systems” using information stolen from Microsoft’s corporate email systems.

Incidents like that fuelled some fear the outage may have been the work of a bad actor or other malicious attack, but one of the clues the root of the issue was in the timing.

Speaking before the fault was confirmed by Crowdstrike, Mr Martin said the evidence pointed to an error in part “for timezone reasons it seems to be emerging first in Australia”.

i understands the fault began at midday on Friday AEST (Australian Eastern Standard Time).

The scale of the outage is global which is unusual, but not unheard of. In 2021, Meta platforms including Facebook, Instagram, WhatsApp, Mapillary, and Oculus, went down globally affecting billions of customers when a change to the configuration of the system that coordinates some of their network traffic led to a six-hour outage.

Mr Kurtz said updates were available for customers and urged those affected to get in touch with CrowdStrike if they were still having problems.

Most Read By Subscribers