Vulnerabilities / Threats
2/14/2012
05:11 PM
50%
50%

Nortel Breach Gave Hackers Access For Years, Report Says

Hackers breached Nortel security and maintained access for years, reportedly making off with a treasure trove of corporate email and documents

Hackers breached Nortel security in 2000 and were able to maintain “widespread access” to the company’s computer systems for close to 10 years, according to a report.

Nortel did not immediately respond to a request for comment about the breach, but the extensiveness of the hack -- and the apparent lack of an effective response by Nortel -- has raised eyebrows. News of the attack was first publicized by The Wall Street Journal. Based on interviews with former employees and internal documents, the Journal reported that hackers based in China were able to breach security using seven stolen passwords belonging to Nortel executives. Using spyware and the compromised credentials, the attackers were reportedly able to gain access to technical papers, business plans, research and development reports, employee email, and other documents.

The attack was discovered in 2004 after an employee noticed unusual downloads that appeared to have been made by a senior executive. Nortel reportedly changed the compromised passwords, but did little else beyond conducting a six-month investigation. In the years that followed, Nortel reportedly ignored recommendations to improve network security, and ultimately began selling its assets off after declaring bankruptcy in 2009 without notifying potential suitors of the problem.

"People who looked at [the hacking] did not believe it was a real issue,” former Nortel CEO Mike Zafirovski reportedly told the Journal. “This never came up like, 'We have a real issue and we need to disclose to potential buyers of businesses.'"

While the danger may have been less clear years ago, “the continued failure of what was viewed as an innovative and sophisticated IT company to appreciate and address the risk is puzzling,” says Neil Roiter, research director at Corero Network Security.

“We expect that the new SEC guidelines will result in more disclosures, such as the recent revelation of the VeriSign breach in 2010, and that companies will be more up front about these events for the sake of the business community at large. [The guidelines should also result in] aggressive monitoring to detect outbound traffic and suspicious activity in the event of a breach,” Roiter says.

“The Nortel breach is not unexpected and reflects the reality of what every company is struggling to deal with today,” says Jacob Olcott, a principal in the cybersecurity practice at security analysis firm Good Harbor Consulting. “Those who think they don't have a problem are only fooling themselves. Additionally, the average investor is starting to understand the link between network security and future revenue: The more a company can keep attackers out of its networks, the better chance it can deliver business. Nortel investors may be asking themselves whether the decade of intellectual property and trade secret theft helped drive the company out of business.”

The Chinese government denied any involvement in the attacks, telling the Journal that "cyber attacks are transnational and anonymous" and shouldn't be attributed to China "without thorough investigation and hard evidence."

“From a legal standpoint, attribution is very difficult because we can’t place an attacker behind a keyboard, much less an entire country,” says Marcus Carey, security researcher with Rapid7. “With regard to China, it’s very easy for an attacker from any country to use China as a last hop for an attack. The attack could originate anywhere, but if it goes via China at some point, the buck for attribution will usually stop there, as American law enforcement can’t just subpoena Chinese ISP data.

“Many of my friends in the law-enforcement cyberforensics space are constantly frustrated with this fact,” he says.

Ten years is a long time for an attack to go essentially unresolved, but the security landscape has changed dramatically during that time, says Tim Keanini, chief technology officer at nCircle.

“In 2002, phishing hadn’t fully emerged as a routine security threat, there were no mobile banking threats, and no cyber-Monday shopping,” he said. “The sad reality is that it’s highly likely that Nortel isn’t the only company that has been breached for a long time and is just now deciding to disclose it.”

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MS8699
50%
50%
MS8699,
User Rank: Apprentice
2/15/2012 | 6:45:25 AM
re: Nortel Breach Gave Hackers Access For Years, Report Says
Ten years is a long time for an attack to go essentially unresolved, but the security landscape has changed dramatically during at this time-
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6501
Published: 2015-03-30
The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_s...

CVE-2014-9209
Published: 2015-03-30
Untrusted search path vulnerability in the Clean Utility application in Rockwell Automation FactoryTalk Services Platform before 2.71.00 and FactoryTalk View Studio 8.00.00 and earlier allows local users to gain privileges via a Trojan horse DLL in an unspecified directory.

CVE-2014-9652
Published: 2015-03-30
The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote atta...

CVE-2014-9653
Published: 2015-03-30
readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory ...

CVE-2014-9705
Published: 2015-03-30
Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.