Nortel did not immediately respond to a request for comment about the breach, but the extensiveness of the hack -- and the apparent lack of an effective response by Nortel -- has raised eyebrows. News of the attack was first publicized by The Wall Street Journal. Based on interviews with former employees and internal documents, the Journal reported that hackers based in China were able to breach security using seven stolen passwords belonging to Nortel executives. Using spyware and the compromised credentials, the attackers were reportedly able to gain access to technical papers, business plans, research and development reports, employee email, and other documents.
The attack was discovered in 2004 after an employee noticed unusual downloads that appeared to have been made by a senior executive. Nortel reportedly changed the compromised passwords, but did little else beyond conducting a six-month investigation. In the years that followed, Nortel reportedly ignored recommendations to improve network security, and ultimately began selling its assets off after declaring bankruptcy in 2009 without notifying potential suitors of the problem.
"People who looked at [the hacking] did not believe it was a real issue,” former Nortel CEO Mike Zafirovski reportedly told the Journal. “This never came up like, 'We have a real issue and we need to disclose to potential buyers of businesses.'"
While the danger may have been less clear years ago, “the continued failure of what was viewed as an innovative and sophisticated IT company to appreciate and address the risk is puzzling,” says Neil Roiter, research director at Corero Network Security.
“We expect that the new SEC guidelines will result in more disclosures, such as the recent revelation of the VeriSign breach in 2010, and that companies will be more up front about these events for the sake of the business community at large. [The guidelines should also result in] aggressive monitoring to detect outbound traffic and suspicious activity in the event of a breach,” Roiter says.
“The Nortel breach is not unexpected and reflects the reality of what every company is struggling to deal with today,” says Jacob Olcott, a principal in the cybersecurity practice at security analysis firm Good Harbor Consulting. “Those who think they don't have a problem are only fooling themselves. Additionally, the average investor is starting to understand the link between network security and future revenue: The more a company can keep attackers out of its networks, the better chance it can deliver business. Nortel investors may be asking themselves whether the decade of intellectual property and trade secret theft helped drive the company out of business.”
The Chinese government denied any involvement in the attacks, telling the Journal that "cyber attacks are transnational and anonymous" and shouldn't be attributed to China "without thorough investigation and hard evidence."
“From a legal standpoint, attribution is very difficult because we can’t place an attacker behind a keyboard, much less an entire country,” says Marcus Carey, security researcher with Rapid7. “With regard to China, it’s very easy for an attacker from any country to use China as a last hop for an attack. The attack could originate anywhere, but if it goes via China at some point, the buck for attribution will usually stop there, as American law enforcement can’t just subpoena Chinese ISP data.
“Many of my friends in the law-enforcement cyberforensics space are constantly frustrated with this fact,” he says.
Ten years is a long time for an attack to go essentially unresolved, but the security landscape has changed dramatically during that time, says Tim Keanini, chief technology officer at nCircle.
“In 2002, phishing hadn’t fully emerged as a routine security threat, there were no mobile banking threats, and no cyber-Monday shopping,” he said. “The sad reality is that it’s highly likely that Nortel isn’t the only company that has been breached for a long time and is just now deciding to disclose it.”
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.