Vulnerabilities / Threats
05:11 PM

Nortel Breach Gave Hackers Access For Years, Report Says

Hackers breached Nortel security and maintained access for years, reportedly making off with a treasure trove of corporate email and documents

Hackers breached Nortel security in 2000 and were able to maintain “widespread access” to the company’s computer systems for close to 10 years, according to a report.

Nortel did not immediately respond to a request for comment about the breach, but the extensiveness of the hack -- and the apparent lack of an effective response by Nortel -- has raised eyebrows. News of the attack was first publicized by The Wall Street Journal. Based on interviews with former employees and internal documents, the Journal reported that hackers based in China were able to breach security using seven stolen passwords belonging to Nortel executives. Using spyware and the compromised credentials, the attackers were reportedly able to gain access to technical papers, business plans, research and development reports, employee email, and other documents.

The attack was discovered in 2004 after an employee noticed unusual downloads that appeared to have been made by a senior executive. Nortel reportedly changed the compromised passwords, but did little else beyond conducting a six-month investigation. In the years that followed, Nortel reportedly ignored recommendations to improve network security, and ultimately began selling its assets off after declaring bankruptcy in 2009 without notifying potential suitors of the problem.

"People who looked at [the hacking] did not believe it was a real issue,” former Nortel CEO Mike Zafirovski reportedly told the Journal. “This never came up like, 'We have a real issue and we need to disclose to potential buyers of businesses.'"

While the danger may have been less clear years ago, “the continued failure of what was viewed as an innovative and sophisticated IT company to appreciate and address the risk is puzzling,” says Neil Roiter, research director at Corero Network Security.

“We expect that the new SEC guidelines will result in more disclosures, such as the recent revelation of the VeriSign breach in 2010, and that companies will be more up front about these events for the sake of the business community at large. [The guidelines should also result in] aggressive monitoring to detect outbound traffic and suspicious activity in the event of a breach,” Roiter says.

“The Nortel breach is not unexpected and reflects the reality of what every company is struggling to deal with today,” says Jacob Olcott, a principal in the cybersecurity practice at security analysis firm Good Harbor Consulting. “Those who think they don't have a problem are only fooling themselves. Additionally, the average investor is starting to understand the link between network security and future revenue: The more a company can keep attackers out of its networks, the better chance it can deliver business. Nortel investors may be asking themselves whether the decade of intellectual property and trade secret theft helped drive the company out of business.”

The Chinese government denied any involvement in the attacks, telling the Journal that "cyber attacks are transnational and anonymous" and shouldn't be attributed to China "without thorough investigation and hard evidence."

“From a legal standpoint, attribution is very difficult because we can’t place an attacker behind a keyboard, much less an entire country,” says Marcus Carey, security researcher with Rapid7. “With regard to China, it’s very easy for an attacker from any country to use China as a last hop for an attack. The attack could originate anywhere, but if it goes via China at some point, the buck for attribution will usually stop there, as American law enforcement can’t just subpoena Chinese ISP data.

“Many of my friends in the law-enforcement cyberforensics space are constantly frustrated with this fact,” he says.

Ten years is a long time for an attack to go essentially unresolved, but the security landscape has changed dramatically during that time, says Tim Keanini, chief technology officer at nCircle.

“In 2002, phishing hadn’t fully emerged as a routine security threat, there were no mobile banking threats, and no cyber-Monday shopping,” he said. “The sad reality is that it’s highly likely that Nortel isn’t the only company that has been breached for a long time and is just now deciding to disclose it.”

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/15/2012 | 6:45:25 AM
re: Nortel Breach Gave Hackers Access For Years, Report Says
Ten years is a long time for an attack to go essentially unresolved, but the security landscape has changed dramatically during at this time-á
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-02-01
Algorithmic complexity vulnerability in Cybozu Remote Service Manager through 2.3.0 and 3.x through 3.1.2 allows remote attackers to cause a denial of service (CPU consumption) via vectors that trigger colliding hash-table keys. NOTE: this vulnerability exists because of an incomplete fix for CVE-2...

Published: 2015-02-01
ASUS JAPAN RT-AC87U routers with firmware and earlier, RT-AC68U routers with firmware and earlier, RT-AC56S routers with firmware and earlier, RT-N66U routers with firmware and earlier, and RT-N56U routers with firmware

Published: 2015-02-01
Cross-site request forgery (CSRF) vulnerability on ASUS JAPAN RT-AC87U routers with firmware and earlier, RT-AC68U routers with firmware and earlier, RT-AC56S routers with firmware and earlier, RT-N66U routers with firmware and earl...

Published: 2015-02-01
Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the editcomponents privilege and triggering crafted input to a two-argument Perl open call, as demonstrated by shel...

Published: 2015-02-01
Stack-based buffer overflow in an unspecified DLL file in a DTM development kit in Schneider Electric Unity Pro, SoMachine, SoMove, SoMove Lite, Modbus Communication Library 2.2.6 and earlier, CANopen Communication Library 1.0.2 and earlier, EtherNet/IP Communication Library 1.0.0 and earlier, EM X8...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.