Anatomy of a Breach

Anatomy of a Breach: Nortel Networks — A Decade of Chinese Espionage Hidden in Plain Sight

> series: anatomy_of_a_breach —— part: 038 —— target: nortel_networks —— duration: ~10_years —— attacker: chinese_state<span class="cursor-blink">_</span>_

Hedgehog Security 28 February 2012 13 min read
data-breach nortel apt china espionage decade-long telecoms corporate-espionage series
Breach #038

Ten years inside. Nobody stopped them.

In February 2012, the Wall Street Journal reported that Chinese state-sponsored hackers had maintained persistent access to Nortel Networks — once Canada's largest technology company — for approximately a decade, from at least 2000 until the company filed for bankruptcy in 2009. The attackers had compromised the passwords of seven senior executives, including the CEO, and used them to access everything: strategic planning documents, research and development data, business plans, employee emails, and internal communications.

Brian Foran, a Nortel security adviser who investigated the intrusions, discovered the breach in 2004 — but his warnings were largely ignored by management. The company changed the compromised passwords but took no further action to investigate the scope of the compromise, remediate the intrusion, or harden its systems against further attack. The hackers simply returned, establishing new access through rootkits and backdoors that persisted until Nortel ceased operations. When Nortel's assets were sold during bankruptcy — patents acquired by a consortium including Apple, Microsoft, and others for $4.5 billion — the question of whether compromised infrastructure was part of the sale was never publicly resolved.

The Timeline
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

A decade of access, a culture of indifference.

Nortel Networks Espionage — Timeline
── ~2000 ──────────────────────────────────────────────────
Chinese state-sponsored hackers gain initial access
Seven executive accounts compromised
Access to strategic, R&D, and business plan documents

── 2004 ───────────────────────────────────────────────────
Security adviser Brian Foran discovers the intrusions
Reports to management — warnings largely ignored
Compromised passwords changed, no further action taken

── 2004–2009 ──────────────────────────────────────────────
Attackers re-establish access via rootkits and backdoors
Persistent espionage continues unimpeded for 5 more years
No comprehensive investigation, no incident response

── January 2009 ───────────────────────────────────────────
Nortel files for bankruptcy protection
Assets sold, patents to Apple/Microsoft consortium ($4.5B)
Question: did buyers acquire compromised infrastructure?

── February 2012 ──────────────────────────────────────────
Wall Street Journal reveals the decade-long compromise
The Lessons

When warnings are ignored, adversaries thrive.

Dwell Time: A Decade
The Nortel breach makes <a href="/blog/anatomy-of-a-breach-operation-shady-rat">Operation Shady RAT's</a> five-year campaigns look modest. A decade of uninterrupted access to a Fortune 500 telecommunications company's most sensitive data. The absence of monitoring — the kind <a href="https://www.socinabox.co.uk">SOC in a Box</a> provides — allowed the attackers to operate for the entire lifetime of the intrusion without detection or disruption.
Warnings Ignored by Management
The breach was discovered internally in 2004 — but management chose to change passwords and move on rather than investigate. This is a governance failure, not a technical one. Boards and senior management must treat security incidents as requiring investigation and remediation, not just credential rotation. Our <a href="/blog/sector-under-the-microscope-defence-supply-chain">defence supply chain analysis</a> examines why governance failures persist.
M&A Cyber Risk
When Nortel's assets were sold, the buyers may have acquired compromised infrastructure and data that had been exfiltrated over a decade. Cyber due diligence in mergers and acquisitions is essential — and our <a href="/penetration-testing/infrastructure">penetration testing</a> is frequently commissioned as part of M&A due diligence to assess the security posture of acquisition targets.
Telecoms as Strategic Targets
Nortel was a telecommunications equipment manufacturer — its products were deployed in networks worldwide. Compromising Nortel's R&D data potentially gave adversaries insight into the design of telecommunications infrastructure globally. For organisations in the UK's critical national infrastructure, <a href="https://www.cyber-defence.io/services/threat-intelligence">UK Cyber Defence's threat intelligence</a> provides awareness of the APT groups targeting their sector.
Defence

How to prevent a decade-long intrusion.

The Nortel breach persisted for a decade because the company lacked three capabilities: detection (no monitoring to identify the ongoing intrusion), investigation (no incident response when the breach was discovered in 2004), and remediation (no comprehensive action to remove the attackers and harden against re-entry). These are exactly the capabilities that modern security programmes must provide.

SOC in a Box provides 24/7 monitoring that detects APT-style intrusions — the encrypted communications, lateral movement, and data exfiltration that characterised the Nortel compromise. Our red team engagements simulate nation-state attack techniques to test whether your detection capabilities would identify a Nortel-style persistent intrusion. Cyber Essentials establishes the baseline controls. And UK Cyber Defence's incident response service provides the investigation and remediation capability that Nortel's management chose not to commission in 2004.

APT Resilience

Nortel's hackers were discovered in 2004 and ignored. Would your organisation do the same?

<a href="https://www.socinabox.co.uk">SOC in a Box</a> detects. <a href="/penetration-testing/red-team">Red team testing</a> validates. <a href="https://www.cyber-defence.io/services/incident-response">Incident response</a> investigates and remediates. Because the difference between Nortel and a company that survives an APT intrusion is not whether the breach is discovered — it is what happens next.

Commission a Red Team Test Next: Global Payments
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 May 2015

Anatomy of a Breach: US Office of Personnel Management — 21.5 Million Security Clearances Stolen by China

Breach #077. In June 2015, the US Office of Personnel Management disclosed two related breaches that compromised the records of 21.5 million current and former federal employees and contractors — including 5.6 million fingerprint records and detailed security clearance investigation files (SF-86 forms) containing information about finances, foreign contacts, mental health, drug use, and personal relationships. Attributed to Chinese state-sponsored hackers, the OPM breach was described as the most damaging theft of intelligence data in US history — a treasure trove for foreign intelligence services.

data-breach opm
14 min read
Anatomy of a Breach 28 February 2015

Anatomy of a Breach: Anthem — 78.8 Million Health Records and the Largest Healthcare Breach in History

Breach #074. In February 2015, Anthem Inc. — the second-largest health insurer in the United States — disclosed that attackers had stolen the personal information of 78.8 million current and former members and employees. The stolen data included names, dates of birth, Social Security numbers, medical ID numbers, addresses, email addresses, and employment information. The breach was attributed to a Chinese state-sponsored group (Deep Panda/APT19) and was the largest healthcare data breach in history. Anthem ultimately paid $115 million in the largest data breach class action settlement at the time.

data-breach anthem
13 min read
Anatomy of a Breach 31 January 2013

Anatomy of a Breach: The New York Times — Four Months of Chinese Espionage Targeting Journalists

Breach #049. In January 2013, the New York Times disclosed that Chinese hackers had maintained access to its network for approximately four months, targeting the email accounts and passwords of reporters covering Chinese politics — specifically those investigating the wealth of the family of China's then-premier Wen Jiabao. The attackers used techniques consistent with the Chinese military's Unit 61398 (APT1). The breach demonstrated that nation-state espionage extends beyond defence and technology — any organisation whose work intersects with a foreign government's interests is a potential target.

data-breach new-york-times
13 min read
All Posts Get in Touch