"For nearly a decade, hackers enjoyed widespread access to the corporate computer network of Nortel Networks Ltd., a once-giant telecommunications firm now fallen on hard times."
"The hackers also hid spying software so deeply within some employees' computers that it took investigators years to realize the pervasiveness of the problem, according to Mr. Shields and Nortel documents reviewed by The Wall Street Journal. They "had access to everything," Mr. Shields said of the hackers. "They had plenty of time. All they had to do was figure out what they wanted."
From today's WSJ, FYI,
FEBRUARY 14, 2012
Chinese Hackers Suspected In Long-Term Nortel Breach
By SIOBHAN GORMAN
For nearly a decade, hackers enjoyed widespread access to the corporate computer network of Nortel Networks Ltd., a once-giant telecommunications firm now fallen on hard times.
Travis Dove for The Wall Street Journal
Brian Shields, pictured, said hackers 'had access to everything.'
Using seven passwords stolen from top Nortel executives, including the chief executive, the hackers—who appeared to be working in China—penetrated Nortel's computers at least as far back as 2000 and over the years downloaded technical papers, research-and-development reports, business plans, employee emails and other documents, according to Brian Shields, a former 19-year Nortel veteran who led an internal investigation.
The hackers also hid spying software so deeply within some employees' computers that it took investigators years to realize the pervasiveness of the problem, according to Mr. Shields and Nortel documents reviewed by The Wall Street Journal. They "had access to everything," Mr. Shields said of the hackers. "They had plenty of time. All they had to do was figure out what they wanted."
According to an internal report, Nortel "did nothing from a security standpoint" to keep out the hackers, other than resetting the seven passwords.
Nortel's breach offers a rare level of detail about a type of international corporate espionage that is of growing concern to U.S. officials. A U.S. intelligence report released in November concluded that hackers operating from China—both government-affiliated and private-sector—are the world's most "active and persistent" perpetrators of industrial spying. The report cited a number of Chinese attacks, including one targeting Google; the theft of data from global energy companies; and theft of proprietary data such as client lists and acquisition plans at other companies.
The Nortel revelations come as China's vice president, Xi Jinping, arrived in the U.S. for a visit in which China is seeking to promote greater trust between the two countries. Mr. Xi, who arrived Monday afternoon, likely will press the U.S. to expand Chinese access to U.S. high-tech markets at a time when U.S. intelligence officials have expressed increasing alarm about what they say is government-sponsored cyberspying on U.S. and Western companies, particularly in China.
Nortel's then-CEO, Mike Zafirovski, said people 'did not believe it was a real issue.'
China's government has denied allegations of cyberspying. When asked about Nortel specifically, the Chinese embassy in Washington issued a statement saying in part that "cyber attacks are transnational and anonymous" and shouldn't be assumed to originate in China "without thorough investigation and hard evidence."
Nortel didn't respond to requests for comment. The Canadian company is in the final stages of selling itself off in pieces as part of a 2009 bankruptcy filing. Nortel was a pioneering maker of the computerized switches and telecom gear that powers much of the world's phone and Internet networks. Nortel equipment (now part of a business owned by Genband Corp.) makes up 45% to 50% of the U.S. telephone switch marketplace, according to Akshay Sharma of research firm Gartner Inc.
As part of its internal investigation, Nortel made no effort to determine if its products were also compromised by hackers, according to several former employees including Mr. Shields, who was a senior adviser for systems security at Nortel. The investigation lasted about six months, and for some of that time involved three staffers, Mr. Shields said, before it fizzled out due to a lack of leads.
Mr. Shields and several former colleagues said the company didn't fix the hacking problem before starting to sell its assets, and didn't disclose the hacking to prospective buyers. Nortel assets have been purchased by Avaya Inc., Ciena Corp., Telefon AB L.M. Ericsson and Genband.
It is possible for companies to inherit spyware or hacker infiltrations via acquisitions, said Sean McGurk, who until recently ran the U.S. government's cybersecurity intelligence center. "When you're buying those files or that intellectual property, you're also buying that 'rootkit,'" he said, using a term that refers to embedded spy software.
Nortel's experience exposes the uncertainties in reporting requirements for company officials who discover that their networks are infiltrated. Companies aren't obligated to disclose a breach to another company as part of an acquisition deal, said Jacob Olcott of Good Harbor Consulting, a firm that advises companies on national-security issues. It is up to the acquiring company to ask, he said.
Since Nortel's stock traded publicly in the U.S., it was required by the Securities and Exchange Commission to disclose "material" risks and events to investors. Many companies are just now becoming aware that cyber attacks must be reported if considered material, said Mr. Olcott, a former Capitol Hill aide who led a committee investigation into public disclosure of incidents like these.
Buyers in bankruptcy include:
Ericsson: Purchased a range of wireless businesses from Nortel valued together at $1.4 billion
Avaya: Bought much of Nortel's business with the U.S. government, valued at $900 million
Genband: Acquired the firm's Internet-phone business and other assets, originally valued at around $182 million, though that total has been contested
Ciena: Now owns Nortel's highend networking business, valued at $769 million
Source: Gartner Inc.
As a result of that investigation, late last year the SEC issued a formal guidance memo saying cyber attacks can be "material." It also said companies are expected to investigate a breach to determine whether it is material.
A Ciena spokesman said, "Ciena was not made aware, whether during diligence or any other part of the bankruptcy-sale process, of any possible prior infiltration of the Nortel network by third parties." A spokesman for Avaya, which learned of the breach after its acquisition, said: "We are aware of this issue, reviewed it when brought to our attention and disposed of it to our satisfaction."
A Genband official declined to discuss security matters or to say whether Nortel disclosed the breach before the acquisition. An Ericsson spokeswoman said Ericsson's own network "has a robust security protocol and is constantly monitored." She said Nortel wasn't required to disclose the hacking because Ericsson purchased only selected Nortel assets, not the whole company or its internal network.
Two of Nortel's three former CEOs during the period of the hacking didn't respond to a request for comment. The third, Mike Zafirovski, said, "People who looked at [the hacking] did not believe it was a real issue. This never came up like, 'We have a real issue and we need to disclose to potential buyers of businesses.'"
Mr. Zafirovski said he didn't believe the infiltrations could be passed on to acquiring companies. "That's a real, real stretch," he said.
In interviews, three former Nortel information-technology employees disputed Mr. Zafirovski's position, pointing out that a significant number of people continued to use Nortel laptops and desktop computers after moving to Avaya and Genband and connected them to those companies' networks. One of the three said he knew with certainty that his machine wasn't tested for possible infiltration before it was connected to Avaya's network; he estimated the total number of similar machines to be "in the high hundreds."
Both companies declined to comment on Nortel machines being connected to their networks.
Mr. Shields said he believes Nortel's silence put the acquiring companies at risk. "It's despicable that Nortel didn't say anything," he said.
Nortel discovered the hacking in 2004, when an employee noticed that a senior executive appeared to be downloading an unusual set of documents, according to the internal report. When asked about it, the executive said he hadn't downloaded the documents.
Mr. Shields and a handful of the firm's computer-security officers soon learned that hackers had apparently obtained the passwords of seven top officials, including a previous CEO. The hackers had been infiltrating Nortel's network, from China-based Internet addresses, at least as early as 2000, Mr. Shields and his colleagues determined.
Hackers had almost complete access to the company's systems, Mr. Shields said, because the internal structure of Nortel's network posed few barriers. "Once you were on the inside of the network, it was soft and gooey," he said.
About six months later, Mr. Shields said, he saw signs that hackers were still in the system. Every month or so, a few computers on the network were sending small bursts of data to one of the same Internet addresses in Shanghai involved in the password-hacking episodes. Unexpected transmissions like these—where one computer sends a quick "ping" to another—often suggests the presence of spyware, security experts say.
"That's the really deep covert presence," said one person familiar with Nortel's investigation. "There is something on those computers that's doing that, and finding it is very difficult."
Mr. Shields said he suggested further steps to secure the network, but Nortel chose not to take the recommendations. "Our own internal process choked us all the time," he said.
In 2008, Mr. Shields said, he learned of a new kind of test, called a memory dump, he could run on PCs suspected of being infected. By this time, however, Nortel was in deep financial trouble. Cost-cutting layoffs had begun, the stock was tanking and top executives were desperately trying to pilot the company through a rapidly changing telecom industry. In January 2009, Nortel filed for bankruptcy protection.
In March of that year, Mr. Shields got approval to examine two of the 50 or so computers he had noticed occasionally communicating with the Shanghai Internet address. But within a couple of weeks, Mr. Shields himself was laid off—caught in the latest round of cost-cutting convulsing Nortel at the time. (Former supervisors confirm his layoff wasn't related to job performance.)
The day after he left Nortel, Mr. Shields said, he received the test results for the two computers, which had previously gotten a clean bill of health from Nortel's antivirus experts. Hackers had installed spyware on the computers and could control them remotely. The hackers were also monitoring employee email, Mr. Shields said.
The spyware unearthed in 2009 was a sophisticated mix. On both computers, researchers found a particularly malicious and hard-to-spot spying tool, namely "rootkit" software that can give a hacker full control over a computer and enables them to conceal their spying campaign, according to two people familiar with the investigation.
On one computer, hackers had set up an encrypted communications channel to an Internet address near Beijing. On the other computer, the investigators found a program that hackers were likely using to sniff out other security weaknesses within Nortel's networks. The hackers had created a "reliable back door," according to one person familiar with the investigation, allowing them to come and go as they pleased in Nortel's network.
Five former Nortel employees familiar with the investigation said the company did nothing with the new information Mr. Shields had collected. "It was blown off," one said.
Soon after, Mr. Shields was hired back as a consultant to another part of the company. In June 2009, he sent a 15-page report, detailing the infiltrations spanning nearly a decade, to Mr. Zafirovski, the then-CEO.
"The Chinese are still in your network, we never really rid them out," Mr. Shields wrote. "I personally would not trust anything you do on your computer as it is extremely likely it is being monitored."
Mr. Zafirovski said he didn't recall the report. He said some security managers have told him Mr. Shields had a reputation as someone who was smart, but would also "cry wolf."
At that point, Nortel's focus was on selling assets, not assessing possible hacker damage, former employees said. In July 2009, Nortel began inking deals that ultimately totaled $1.4 billion in sales of a range of wireless businesses to Ericsson, the Swedish telecom company. In December, in a $900 million deal with U.S.-based Avaya, Nortel sold off a business that included much of its work with the U.S. government.
In February 2010, Nortel sold its Internet-phone business and other assets to U.S.-based Genband. The following month, it sold its high-end communications-networking business to U.S.-based Ciena for $769 million, according to Gartner data.
After Avaya's acquisition of Nortel businesses, Mr. Shields shared his report on the infiltrations with a security official at Avaya. This was the first time the company learned of Nortel's intrusion, according to a person familiar with the matter.
A top U.S. intelligence official said Nortel's hacking experience is representative of the types of incidents he sees. "That is consistent with what we've seen in long-term, multipronged attacks," he said. "If I'm looking to get a jump on my R&D, that's a good way to do it."
Write to Siobhan Gorman at firstname.lastname@example.org