Nortel: Database hack, industrial espionage, and banckruptcy

What is it about?

In 2009, Canada-based telecom giant Nortel Networks Corp discovered through its audits and internal investigations, that its databases were breached over a series of hack overs and that it was a victim of espionage. The blow was too huge to recover from, the company filed for bankruptcy later that year.

What exactly happened?

Around Christmas 2008, Nortel employee, Brian Shields, found some discrepancies and anomalies in the company’s logs. He conducted an internal investigation based on his hunch.

“I went through about two months of Web logs from Mike Z. (the CEO), and, sure enough, I found that right in the middle of a Yahoo session he had some activity go over to Beijing that didn’t fit in with any of the other URL information that was showing up. It didn’t belong there, it just didn’t. This was rotten.”

Further investigations by a digital forensic expert revealed that hackers had breached the company’s databases, stolen admin passwords, installed rootkits, tapped into their Internet communications, and had free reign inside Nortel’s network for more than a decade.

Once the hidden processes were discovered, the expert was able to trace the perpetrators to Chinese IP addresses, some of which also had accounts on a Mandarin-language bulletin board hosted just outside of Beijing. It was there the expert was able to glean personal details about the hackers and what they were doing in Nortel’s system.
“They were doing surveillance, intelligence gathering,” he said.
“They were watching what [programs] people were using, what they were doing, what emails they were reading and that is exactly what we would expect to see from someone who was basically engaged in espionage.”
It was around this time that the Shezan-based company Huawei had surpassed US$100-million in annual sales to international markets. The end was near for Nortel, and they had to declare bankruptcy in 2009.
Still, neither the expert nor Mr. Shields was able to establish a direct link between the hackers and their mysterious benefactors. Mr. Shields’ conviction that the Chinese government was involved on behalf of Huawei remains circumstantial at best.
Finger pointing aside, Mr. Shields believed he did have hard evidence of somebody hacking Nortel’s systems, even if he couldn’t prove who was paying them. Once he found proof of hackers breaching the chief executive’s own computer in late 2008, he presented his findings to Pat Cottrell, Nortel’s IT security manager at the time. Surely now, he thought, he would get the approvals and the attention needed to more thoroughly inspect Mike Z’s computer.
Instead, her response according to Mr. Shields was “Mike Z is a very busy man, he is trying to sell business units and we can’t be slowing him down and trying to interrupt him with memory dumps of his computer.”
1. Cyber espionage can have a devastating effect on the social fabric of a nation as well as on the actions of every private company. It is sneaky and silent: unlike other crimes, it may be conducted for years without the victim being aware of it with serious consequences.
It could be state-sponsored or industry (corporate) -sponsored, or both.
2. Cyber threat is real and can lead catastrophic consequences.Every organization is potentially at risk and to underestimate the threat is a serious mistake. The situation requires careful management of the business presence in the cyber space of every company.
3. Despite an acceleration of high-profile cyber attacks against major global networks in recent years, many executives fail to recognize the potentially devastating nature of such cyber threats.
There is data to support this growing lack of awareness. Last October, security software giant Symantec Corp. released a study that found operators of telecommunications networks, power grids, water systems and other services of vital importance had grown “less concerned about threats and less ready” than they were a year prior even as attacks have grown more frequent and sophisticated.
4. Auditing is a key and often overlooked pillar of information security. Often the sheer volume of audit logs creates a burden of work on those responsible for their timely review. However, the use of 3rd party parsing tools allows this to be minimized.
5. What stands out in the Nortel case is the complete failure to provide adequate data encryption for “data at rest”. Anything that is deemed valuable enough to be tagged a “trade secret” is worth the effort of encryption.
6. Another glaring error in Nortel was the lack of proper access controls. A failure to provide even a rudimentary access control policy contributed to the wide-spread data breach across the company.
US Legislation: The Economic Espionage Act of 1996
The Economic Espionage Act of 1996 (EEA) was signed into law by President Clinton and contains two provisions for identifying and prosecuting cases involving economic espionage and the theft of trade secrets.
The first, 18 U.S.C. § 1831, criminalizes the theft of trade secrets used to benefit a foreign power (the economic espionage section) and can result in a individual punishment of up to $500,000 and 10 years in prison Organizations violating this statute can be fined up to $10 Million dollars.
The second aspect of the EEA, which is 18 U.S.C. § 1832, addresses the theft of trade secrets “ that is related to or included in a product that is produced for or placed in interstate or foreign commerce, to the economic benefit of anyone other than the owner thereof”.
The punishment here is imprisonment not to exceed 10 years and/or a fine of up to $500,000 and in the case of organizations, a fine of up to $5 Million dollars.
The EEA applies to individuals who are U.S. citizens, regardless of where they are physically located, as well as to non-U.S. citizens if the act of espionage was conducted on U.S. soil.
A person cannot be convicted if the trade secret was disclosed through the use of reverse engineering or parallel development. As is typical of most laws around computer crime, seizure of assets used in the violation of the law is almost certain to occur.[3] Prior to the establishment of the EEA, any corporate entity that felt they had suffered a loss of trade secrets were forced to contact law enforcement and their intellectual property could potentially be publicly disclosed during public court proceedings. While the EEA is certainly a step in the right direction with regards to prosecuting industrial espionage cases, it does not prevent legal intelligence gathering capabilities used by most foreign intelligence agencies and well-staffed corporate attackers such as “dumpster diving” or using refined online search tools (aka “Google Hacking”) to identify public data.