Cyber-Spies Intercepted Sensitive Files, Emails From Nortel: Report

Attackers breached Nortel and had free rein to spy on its internal network and communications from 2000 to 2009, according to an internal report. As usual, China is the prime suspect.

Chinese hackers allegedly breached telecommunications company Nortel in 2000 and these cyber-spies gained access to reams of sensitive technical documents, as well as internal communications and email, for nearly 10 years, according to a report in The Wall Street Journal.

The attackers, suspected of being based in China, breached the network using stolen credentials and installed spying software deep within the company€™s networking environment to gain access to all documents and communications, the Journal reported Feb. 14. The breach appears to date as far back as 2000, Brian Shields, the former senior advisor for systems security at Nortel who led the internal investigation, told the paper.

The attackers managed to steal log-in credentials for seven Nortel executives, including a former chief executive. Over the years, they downloaded technical papers, research and development reports, business plans, employee emails and other documents. It took investigators years to realize the pervasiveness of the problem.

The attackers had "access to everything," Shields told the Journal. "They had plenty of time. All they had to do was figure out what they wanted.€

U.S. government officials and company executives are increasingly worried about international corporate espionage. In January, reports surfaced about China-based hackers who breached Canadian law firms to intercept information related to a $40 billion acquisition of Potash Corp. of Saskatchewan by an Australian mining giant in 2010.

The Chinese government has long denied allegations of corporate cyber-espionage, claiming that the country was also a victim of cyber-attacks. Officials have used words such as "irresponsible" in response to these charges since no concrete evidence has been produced.

The Chinese Embassy told the Journal that these kinds of attacks are "transnational and anonymous."

Even though the computers appeared to be transmitting data back to China, it is premature to accuse Chinese hackers, Graham Cluley, a senior technology consultant at Sophos, wrote on the Naked Security blog. It is just as likely that a computer in Shanghai was compromised by a remote hacker in another part of the world, Cluley said. These types of attacks are not limited to just the Chinese, as they can easily be based in Great Britain, Italy, South Africa and Canada, to name a few.

"It's all too easy to point a finger, but it's dangerous to keep doing so without proof," Cluley wrote.

Nortel didn't respond to requests for comment.

The breach was first discovered in 2004 when an employee noticed that a senior executive had downloaded an "unusual set of documents," the Journal reported. When questioned, the executive denied downloading them. The internal investigators managed to trace the suspicious activity to China-based IP addresses.

Nortel's network structure made it easy for the attackers to move around once the perimeter was breached because there were very few controls within the environment, according to Shields. Inside the network was "soft and gooey," he said.

Security experts have long advocated deploying multiple layers of security so that if attackers manage to breach the network perimeter, there are other defenses in place to keep them out. Without additional layers, once an attacker is in, there's nothing to stop them from accessing data, as Nortel discovered.

During the six-month investigation, Nortel did not try to determine whether the attackers had compromised any of its products. Nortel did "nothing from a security standpoint" other than resetting the passwords, according to the internal report reviewed by the Journal.

Shields saw signs the network was still compromised six months after the initial discovery because some of the computers were still sending data to the same Shanghai-based IP addresses. He suggested taking additional steps to secure the network but Nortel declined.

The day after leaving Nortel, Shields found out that a sophisticated form of spyware on two of the computers had been detected. The rootkit gave remote attackers full control over the infected computer and was not previously detected by the Nortel antivirus software. One of the computers had an encrypted communications channel with a computer near Beijing and another had a program installed that probed the network for other weaknesses to exploit.

It is not clear how the seven passwords were initially compromised, but it is possible the executives had been tricked by a phishing scam. These kinds of scams have been successful in the past, such as the one that tricked senior U.S. officials into clicking on links in messages, which resulted in their Gmail accounts being compromised last year.