Vulnerabilities / Threats
2/14/2012
05:11 PM
Connect Directly
RSS
E-Mail
50%
50%

Nortel Breach Gave Hackers Access For Years, Report Says

Hackers breached Nortel security and maintained access for years, reportedly making off with a treasure trove of corporate email and documents

Hackers breached Nortel security in 2000 and were able to maintain “widespread access” to the company’s computer systems for close to 10 years, according to a report.

Nortel did not immediately respond to a request for comment about the breach, but the extensiveness of the hack -- and the apparent lack of an effective response by Nortel -- has raised eyebrows. News of the attack was first publicized by The Wall Street Journal. Based on interviews with former employees and internal documents, the Journal reported that hackers based in China were able to breach security using seven stolen passwords belonging to Nortel executives. Using spyware and the compromised credentials, the attackers were reportedly able to gain access to technical papers, business plans, research and development reports, employee email, and other documents.

The attack was discovered in 2004 after an employee noticed unusual downloads that appeared to have been made by a senior executive. Nortel reportedly changed the compromised passwords, but did little else beyond conducting a six-month investigation. In the years that followed, Nortel reportedly ignored recommendations to improve network security, and ultimately began selling its assets off after declaring bankruptcy in 2009 without notifying potential suitors of the problem.

"People who looked at [the hacking] did not believe it was a real issue,” former Nortel CEO Mike Zafirovski reportedly told the Journal. “This never came up like, 'We have a real issue and we need to disclose to potential buyers of businesses.'"

While the danger may have been less clear years ago, “the continued failure of what was viewed as an innovative and sophisticated IT company to appreciate and address the risk is puzzling,” says Neil Roiter, research director at Corero Network Security.

“We expect that the new SEC guidelines will result in more disclosures, such as the recent revelation of the VeriSign breach in 2010, and that companies will be more up front about these events for the sake of the business community at large. [The guidelines should also result in] aggressive monitoring to detect outbound traffic and suspicious activity in the event of a breach,” Roiter says.

“The Nortel breach is not unexpected and reflects the reality of what every company is struggling to deal with today,” says Jacob Olcott, a principal in the cybersecurity practice at security analysis firm Good Harbor Consulting. “Those who think they don't have a problem are only fooling themselves. Additionally, the average investor is starting to understand the link between network security and future revenue: The more a company can keep attackers out of its networks, the better chance it can deliver business. Nortel investors may be asking themselves whether the decade of intellectual property and trade secret theft helped drive the company out of business.”

The Chinese government denied any involvement in the attacks, telling the Journal that "cyber attacks are transnational and anonymous" and shouldn't be attributed to China "without thorough investigation and hard evidence."

“From a legal standpoint, attribution is very difficult because we can’t place an attacker behind a keyboard, much less an entire country,” says Marcus Carey, security researcher with Rapid7. “With regard to China, it’s very easy for an attacker from any country to use China as a last hop for an attack. The attack could originate anywhere, but if it goes via China at some point, the buck for attribution will usually stop there, as American law enforcement can’t just subpoena Chinese ISP data.

“Many of my friends in the law-enforcement cyberforensics space are constantly frustrated with this fact,” he says.

Ten years is a long time for an attack to go essentially unresolved, but the security landscape has changed dramatically during that time, says Tim Keanini, chief technology officer at nCircle.

“In 2002, phishing hadn’t fully emerged as a routine security threat, there were no mobile banking threats, and no cyber-Monday shopping,” he said. “The sad reality is that it’s highly likely that Nortel isn’t the only company that has been breached for a long time and is just now deciding to disclose it.”

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MS8699
50%
50%
MS8699,
User Rank: Apprentice
2/15/2012 | 6:45:25 AM
re: Nortel Breach Gave Hackers Access For Years, Report Says
Ten years is a long time for an attack to go essentially unresolved, but the security landscape has changed dramatically during at this time-á
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.