Hackers roamed Nortel's networks for over 10 years
- By Kathleen Hickey
- Feb 15, 2012
Hackers gained access to Nortel’s networks and took documents for more than a decade, even for years after the breach was discovered, according to a report in the Wall Street Journal.
Former Nortel employee Brian Shields, who led the internal investigation of the hacking, told the WSJ that the company discovered the breach in 2004 but allowed the hacks to continue for years afterwards. Five years after the breach was discovered, in 2009, Shields found rootkits in laptops using an encrypted channel to send e-mail and other sensitive information to servers near Beijing.
Although the hackers were described by the WSJ and other publications as Chinese, Graham Cluley, senior technology consultant at Sophos, cautioned against that assumption. Although the transmissions were traced to a Chinese IP address, that server could have been remotely hacked by someone in another country, he noted in a blog post.
The hackers stole seven passwords from top Nortel executives, including the CEO, using them to download technical papers, research and development reports, business plans, employee e-mails and other documents, Shields said. These passwords not only enabled the hackers to access the company’s network but also remotely control personal computers with spyware. The hackers “had access to everything,” he said.
The type of attacks Nortel experienced are commonly called APTs, or advanced persistent threats, which are on the rise. APTs are ideal for long-term hacks as they “are more stealthy, specifically designed to quietly, slowly spread to other hosts, gathering information over extended periods of time,” said the National Institute of Standards and Technology in its newly revised draft computer security guidelines, GCN reported.
It’s not known how the hackers obtained the passwords, but one common method is phishing, whereby the hackers trick users into giving up their personal log-in information.
“The human still is the weak link in everything,” said RSA’s Chief Information Security Officer Eddie Schwartz in a GCN article. Schwartz spoke on RSA’s security revamp efforts after its APT hack in March 2011.
Nortel changed the passwords when the breach was discovered in 2004 but did little else, Shields said. The company halted its internal investigation after six months, did not investigate whether any of its products were compromised and did not act on recommendations by Shields for improving network security, he said. The company also ignored findings from a second investigation, according to five other former Nortel employees, reported WSJ.
Nortel is not the only organization to recently discover it has been a victim of a long-term hack. The City College of San Francisco recently found a virus that had been implanted in 1999 had been stealing bank information from students and staff members and sending transmissions to Russia, China and other countries for more than 10 years, reported GCN.
Nortel filed for bankruptcy in 2009 and sold off IP addresses and its patents to pay creditors. Today, the company would be required to disclose the breach under a Securities and Exchange Commission cybersecurity risks and incidents guidance for public companies, which was written in October 2011.
Kathleen Hickey is a freelance writer for GCN.