Vulnerabilities / Threats
05:11 PM
Connect Directly

Nortel Breach Gave Hackers Access For Years, Report Says

Hackers breached Nortel security and maintained access for years, reportedly making off with a treasure trove of corporate email and documents

Hackers breached Nortel security in 2000 and were able to maintain “widespread access” to the company’s computer systems for close to 10 years, according to a report.

Nortel did not immediately respond to a request for comment about the breach, but the extensiveness of the hack -- and the apparent lack of an effective response by Nortel -- has raised eyebrows. News of the attack was first publicized by The Wall Street Journal. Based on interviews with former employees and internal documents, the Journal reported that hackers based in China were able to breach security using seven stolen passwords belonging to Nortel executives. Using spyware and the compromised credentials, the attackers were reportedly able to gain access to technical papers, business plans, research and development reports, employee email, and other documents.

The attack was discovered in 2004 after an employee noticed unusual downloads that appeared to have been made by a senior executive. Nortel reportedly changed the compromised passwords, but did little else beyond conducting a six-month investigation. In the years that followed, Nortel reportedly ignored recommendations to improve network security, and ultimately began selling its assets off after declaring bankruptcy in 2009 without notifying potential suitors of the problem.

"People who looked at [the hacking] did not believe it was a real issue,” former Nortel CEO Mike Zafirovski reportedly told the Journal. “This never came up like, 'We have a real issue and we need to disclose to potential buyers of businesses.'"

While the danger may have been less clear years ago, “the continued failure of what was viewed as an innovative and sophisticated IT company to appreciate and address the risk is puzzling,” says Neil Roiter, research director at Corero Network Security.

“We expect that the new SEC guidelines will result in more disclosures, such as the recent revelation of the VeriSign breach in 2010, and that companies will be more up front about these events for the sake of the business community at large. [The guidelines should also result in] aggressive monitoring to detect outbound traffic and suspicious activity in the event of a breach,” Roiter says.

“The Nortel breach is not unexpected and reflects the reality of what every company is struggling to deal with today,” says Jacob Olcott, a principal in the cybersecurity practice at security analysis firm Good Harbor Consulting. “Those who think they don't have a problem are only fooling themselves. Additionally, the average investor is starting to understand the link between network security and future revenue: The more a company can keep attackers out of its networks, the better chance it can deliver business. Nortel investors may be asking themselves whether the decade of intellectual property and trade secret theft helped drive the company out of business.”

The Chinese government denied any involvement in the attacks, telling the Journal that "cyber attacks are transnational and anonymous" and shouldn't be attributed to China "without thorough investigation and hard evidence."

“From a legal standpoint, attribution is very difficult because we can’t place an attacker behind a keyboard, much less an entire country,” says Marcus Carey, security researcher with Rapid7. “With regard to China, it’s very easy for an attacker from any country to use China as a last hop for an attack. The attack could originate anywhere, but if it goes via China at some point, the buck for attribution will usually stop there, as American law enforcement can’t just subpoena Chinese ISP data.

“Many of my friends in the law-enforcement cyberforensics space are constantly frustrated with this fact,” he says.

Ten years is a long time for an attack to go essentially unresolved, but the security landscape has changed dramatically during that time, says Tim Keanini, chief technology officer at nCircle.

“In 2002, phishing hadn’t fully emerged as a routine security threat, there were no mobile banking threats, and no cyber-Monday shopping,” he said. “The sad reality is that it’s highly likely that Nortel isn’t the only company that has been breached for a long time and is just now deciding to disclose it.”

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/15/2012 | 6:45:25 AM
re: Nortel Breach Gave Hackers Access For Years, Report Says
Ten years is a long time for an attack to go essentially unresolved, but the security landscape has changed dramatically during at this time-á
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

Published: 2014-10-22
House Arrest in Apple iOS before 8.1 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information from a Documents directory by obtaining this UID.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.