Analysing the Recent Global IT Outage: CrowdStrike, Cybersecurity Threats, and EU Agreements

Introduction

The world recently experienced one of the largest IT outages in history, attributed to a faulty update by the cybersecurity firm CrowdStrike. This incident, however, has sparked significant debate and speculation about its true nature, with many questioning whether a more sophisticated cyberattack or other underlying factors might have been involved.

The Incident

On 19th July 2024, CrowdStrike released an update for its Falcon Sensor software for Windows systems. This update caused widespread Blue Screen of Death (BSOD) errors, leading to massive disruptions across airlines, banks, healthcare providers, and other critical sectors globally (Business Today) (MacDailyNews) (India Today). Within hours, CrowdStrike identified the issue and deployed a fix, but the impact had already reached a critical level, taking several days to fully resolve (Business Today) (India Today).

Official Explanation and Scepticism

CrowdStrike has taken responsibility for the incident, citing the flawed update as the cause. However, given the history of downplayed cyberattacks, there is valid scepticism about this narrative. Historically, incidents initially reported as technical faults have later been revealed as sophisticated cyberattacks. For example, the NotPetya attack in 2017 was initially thought to be ransomware but was later understood to be a state-sponsored attack (CrowdStrike) (TechRepublic).

Potential Cyberattack Involvement

Given the sophistication of malware like GuLoader, RemcosRat, and CrystalRay, it is plausible these could have infiltrated CrowdStrike systems. These tools are known for their stealth capabilities, including hiding within encoded formats like base64, making detection difficult. Their abilities include remote access, data exfiltration, and further payload delivery, potentially leading to significant disruptions if embedded within critical software updates (CrowdStrike).

Previous Cyber Threats to CrowdStrike Customers

CrowdStrike's 2024 Global Threat Report highlights a significant rise in sophisticated cyber activities. There was a 75% increase in cloud intrusions and a 60% rise in interactive intrusion campaigns, many of which were malware-free. These incidents suggest that attackers have been increasingly targeting CrowdStrike customers using advanced techniques.

Specifically, during the recent incident, threat actors attempted to exploit the situation by sending phishing emails, impersonating CrowdStrike staff, and creating fake domains to deceive customers. These actions indicate that cybercriminals were actively trying to leverage the disruption caused by the faulty update.

EU Agreements and Their Role

While some have speculated about the potential role of recent EU agreements in this incident, the connection appears tenuous. If an EU agreement were responsible, it would have been identified and addressed sooner. The technical nature of the disruption points more clearly to a cybersecurity issue rather than a policy-related one.

Need for Thorough Investigation

The possibility that CrowdStrike was targeted in a sophisticated cyberattack remains. Continuous monitoring, detailed forensic investigations, and transparent communication are essential to fully understand and mitigate such incidents. Organisations should regularly audit their security measures, ensure software updates are thoroughly tested, and employ advanced threat detection systems.

Personal Experience and Expertise

As someone who has extensively covered cybersecurity topics, particularly the implications of base64 encoding in malware concealment, I can affirm the importance of considering all angles in such incidents. My recent articles have delved into how malware like GuLoader, RemcosRat, and CrystalRay can hide in base64, making them difficult to detect. These insights underscore the need for advanced threat detection and forensic analysis in understanding and responding to large-scale IT disruptions.

Conclusion

While the official explanation attributes the outage to a faulty update from CrowdStrike, the potential for a hidden cyberattack involving sophisticated malware cannot be ruled out. Continuous monitoring, detailed investigations, and transparent communication are necessary to understand the full scope of the incident and safeguard against future threats.