Nortel ignored network compromise for years

by Steve Ragan - Feb 14 2012, 18:30

After discovering that their network was compromised in 2004, former telecommunications giant Nortel Networks did nothing to keep the attackers out, even after it was learned that they may have been in the system since 2000. This revelation was brought to light on Tuesday by a report from The Wall Street Journal, citing internal investigation documents on the incident.

According to the report, which was compiled by Brian Shields, the former employee who led the internal investigations into the compromise, hackers used stolen passwords from high ranking company officials and infiltrated the Nortel corporate network in 2000.

Four years later, the breach was discovered, but aside from changing the compromised passwords, Nortel “did nothing from a security standpoint” to resolve the issue.

Marcus Carey, a security researcher at Rapid 7, says that hackers often deploy 'offense-in-depth' methodologies to stay entrenched in a network after the initial compromise for weeks, months, and even years. They constantly change their toolset to stay under the radar in order to avoid detection, and he believes these types of attacks are the definition of advanced persistent threat (APT) due to the long term and methodical nature of the continuous compromise. As much as the term APT bothers us here at the Herald, we have to admit that Carey has a point.

The Nortel report says that the breach was noticed after a senior manager was logged downloading documents that fell outside of their normal pattern. When questioned, the manager was just as surprised as the investigators, leading to the conclusion that something was wrong. By that point, the meltdown was already underway.

Commenting that the hackers, said to be from China (the world’s top boogeyman when it comes to issues of cybercrime), had access to everything, Shields added, “They had plenty of time. All they had to do was figure out what they wanted.”

Shields told the Journal that he made various recommendations on how to address the network compromise, but added that his advice was ignored. The Malware planted on the various Nortel systems allowed remote access to almost everything the company would want to protect, including R&D reports and notes, business plans, corporate email, and various other IP related documents and code.

“The amount of damage that can be done in a single instance of a data breach is extreme; to imagine what Nortel is facing after years of hidden spying software is unfathomable and undoubtedly raises questions for many organizations as to the security of some of their more sensitive information,” commented Bill Morrow, executive chairman, Quarri Technologies.

China dismissed the Nortel report outright, claiming they had nothing to do with the incident. When asked for comment, the company’s former CEO said the staff “did not believe it was a real issue” when speaking about the breach and the lack of disclosure – especially during Nortel’s bankruptcy process and attempts to selloff parts of the company to other investors.

Around the Web

comments powered by Disqus