Attackers breached Nortel and had free rein to spy on its internal network and communications from 2000 to 2009, according to an internal report. As usual, China is the prime suspect.
Chinese hackers allegedly
breached telecommunications company Nortel in 2000 and these cyber-spies gained
access to reams of sensitive technical documents, as well as internal
communications and email, for nearly 10 years, according to a report in The Wall
The attackers, suspected of
being based in China, breached the network using stolen credentials and
installed spying software deep within the companys networking environment to
gain access to all documents and communications, the Journal
reported Feb. 14. The breach appears to date as far back as
2000, Brian Shields, the former senior advisor for systems security at Nortel
who led the internal investigation, told the paper.
The attackers managed to
steal log-in credentials for seven Nortel executives, including a former chief
executive. Over the years, they downloaded technical papers, research and
development reports, business plans, employee emails and other documents. It
took investigators years to realize the pervasiveness of the problem.
The attackers had
"access to everything," Shields told the Journal
. "They had plenty of time. All they had to do was
figure out what they wanted.
U.S. government officials
and company executives are increasingly worried about international corporate
espionage. In January, reports surfaced about China-based hackers who breached Canadian
to intercept information related to a $40 billion acquisition of
Potash Corp. of Saskatchewan by an Australian mining giant in 2010.
The Chinese government has
long denied allegations
of corporate cyber-espionage
, claiming that the country was also a victim
of cyber-attacks. Officials have used words such as "irresponsible"
in response to these charges since no concrete evidence has been produced.
The Chinese Embassy told the
that these kinds of attacks
are "transnational and anonymous."
Even though the computers
appeared to be transmitting data back to China, it is premature to accuse
Chinese hackers, Graham Cluley, a senior technology consultant at Sophos, wrote
on the Naked
blog. It is just as likely that a computer in Shanghai was
compromised by a remote hacker in another part of the world, Cluley said. These
types of attacks are not limited to just the Chinese, as they can easily be
based in Great Britain, Italy, South Africa and Canada, to name a few.
"It's all too easy to
point a finger, but it's dangerous to keep doing so without proof," Cluley
Nortel didn't respond to
requests for comment.
The breach was first
discovered in 2004 when an employee noticed that a senior executive had
downloaded an "unusual set of documents," the Journal
reported. When questioned, the executive denied downloading
them. The internal investigators managed to trace the suspicious activity to
China-based IP addresses.
Nortel's network structure
made it easy for the attackers to move around once the perimeter was breached
because there were very few controls within the environment, according to
Shields. Inside the network was "soft and gooey," he said.
Security experts have long
advocated deploying multiple
layers of security
so that if attackers manage to breach the network
perimeter, there are other defenses in place to keep them out. Without
additional layers, once an attacker is in, there's nothing to stop them from
accessing data, as Nortel discovered.
During the six-month
investigation, Nortel did not try to determine whether the attackers had
compromised any of its products. Nortel did "nothing from a security
standpoint" other than resetting the passwords, according to the internal
report reviewed by the Journal
Shields saw signs the
network was still compromised six months after the initial discovery because
some of the computers were still sending data to the same Shanghai-based IP
addresses. He suggested taking additional steps to secure the network but
The day after leaving
Nortel, Shields found out that a sophisticated form of spyware on two of the
computers had been detected. The rootkit gave remote attackers full control
over the infected computer and was not previously detected by the Nortel
antivirus software. One of the computers had an encrypted communications
channel with a computer near Beijing and another had a program installed that
probed the network for other weaknesses to exploit.
It is not clear how the
seven passwords were initially compromised, but it is possible the executives
had been tricked by a phishing scam. These kinds of scams have been successful
in the past, such as the one that tricked senior U.S. officials into clicking
on links in messages, which resulted in their Gmail
accounts being compromised