Saturday, March 11, 2017
Nortel hacked to pieces
Sara D. Davis for National PostBrian Shields, a former senior advisor for systems security at Nortel poses in Durham, North Carolina.
Under mounting pressure to prove China-based hackers had infiltrated the vast global computer network of Nortel Networks Corp. all the way to the chief executive’s terminal, Brian Shields felt he had no choice but to go rogue.
Armed with nearly two decades doing security for the now-defunct Canadian company whose technology still powers telecommunications networks around the world, he had spent a day just before Christmas 2008 digging through the Web browsing history of then CEO Mike Zafirovski, known to colleagues as ‘Mike Z’. Mr. Shields was convinced there were criminals working on behalf of China’s Huawei Technologies Co. Ltd. accessing the CEO’s files, but his hunch hadn’t been enough for his immediate bosses to grant him direct access to the top man’s PC.
“I went on my own then and pulled the Web logs from Mike Z. since I had access to those kinds of logs back then,” the 53-year-old Nortel veteran recalled. It was there he finally found the digital smoking gun he had spent years trying to find.
“I went through about two months and, sure enough, I found that right in the middle of a Yahoo session he had some activity go over to Beijing that didn’t fit in with any of the other URL information that was showing up. It didn’t belong there, it just didn’t. This was rotten.”
As reported by the Wall Street Journal this month, hackers had free reign inside Nortel’s network for more than a decade before the company went bankrupt in 2009. Now, in lengthy interviews with the Financial Post, Mr. Shields and a third-party digital forensics expert who worked on the investigation shed more light on the cyber criminals they were pursuing, their intentions and the inexplicable lack of response from Nortel’s senior staff.
The revelations serve as a wake up call not only to the companies who purchased Nortel’s infected hardware, but to the global technology industry at large.
The attackers were “clearly recent graduates of a Chinese polytechnic” who were “heavily in debt,” yet by 2009 seemed to have “more money than they ever imagined,” according to the third-party expert who works for a leading U.S. computer security tool vendor who requested anonymity.
Although never formally contracted by Nortel to aid the investigation, the expert had been sought out by Mr. Shields in the summer of 2008 for his advice and assistance in analyzing some of the machines he believed were infected. Nortel’s own anti-malware specialist had been unable to find any evidence of foul play, but Mr. Shields refused to let the matter drop.
“I thought [helping Brian] might land me some work down the line,” the expert said. “Nortel was, after all, still a very big company at the time.”
Not only did the expert’s analysis confirm that rootkits (malicious software designed to make certain processes running on a device invisible to basic inspection) existed on the machines identified by Mr. Shields, but that it was professionals who had put them there.
“Brian would wipe the hard drive of one of the machines and re-image it, then we did a second memory image within five minutes,” the expert said. “It was a lot cleaner but I still found a couple of artifacts that told me the rootkit was still there. So it was something sophisticated that was able to survive a reformat of the system.”
Once the hidden processes were discovered, the expert was able to trace the perpetrators to Chinese IP addresses, some of which also had accounts on a Mandarin-language bulletin board hosted just outside of Beijing. It was there the expert was able to glean personal details about the hackers and what they were doing in Nortel’s system.
“They were doing surveillance, intelligence gathering,” he said.
“They were watching what [programs] people were using, what they were doing, what emails they were reading and that is exactly what we would expect to see from someone who was basically engaged in espionage.”
Still, neither the expert nor Mr. Shields was able to establish a direct link between the hackers and their mysterious benefactors. Mr. Shields’ conviction that the Chinese government was involved on behalf of Huawei remains circumstantial at best: the Shenzhen-based company had surpassed US$100-million in annual sales to international markets in 2000, the year many Nortel historians mark as the start of the former Canadian corporate champion’s fall from grace. Huawei enjoyed rapid global growth from that point onward.
Today, many former Nortel customers — including BCE Inc., Canada’s largest telecommunications firm — have moved to Huawei. Analysts expect the privately held company will overtake Ericsson as the world’s largest telecom equipment vendor when it reports annual figures this spring, giving Huawei the crown once worn by Nortel.
China’s embassy in Washington issued a statement to the WSJ specifically denying any involvement in the Nortel hacking, saying “cyber attacks were transnational and anonymous” and shouldn’t be assumed to originate in China “without thorough investigation and hard evidence.”
Finger pointing aside, Mr. Shields believed he did have hard evidence of somebody hacking Nortel’s systems, even if he couldn’t prove who was paying them. Once he found proof of hackers breaching the chief executive’s own computer in late 2008, he presented his findings to Pat Cottrell, Nortel’s IT security manager at the time. Surely now, he thought, he would get the approvals and the attention needed to more thoroughly inspect Mike Z’s computer.
Instead, her response according to Mr. Shields was “Mike Z is a very busy man, he is trying to sell business units and we can’t be slowing him down and trying to interrupt him with memory dumps of his computer.” Ms. Cottrell declined to comment on this story, citing a confidentiality agreement with her current employer.
“I hit myself in the head,” Mr. Shields said. “[Mr. Zafirovski] wouldn’t have even known [the memory dump] had happened. It would have slowed his machine down for maybe 10 minutes.”
Mr. Shields says he struggled for resources ever since the breach was discovered by a Nortel employee based in the United Kingdom in 2004. He even spent several hours in November of 2007 explaining his concerns in a meeting he said was attended by several Nortel executives including Jack Reyes, vice-president of corporate security, and Randy Calhoun, Nortel’s director of corporate and systems security.
They told him to prepare an audit report, which Mr. Shields said he filed in early 2008 but that was never passed along to upper management.
Mr. Reyes could not be reached and Mr. Calhoun, now an independent security consultant based in Dallas, declined to comment. Mr. Shields had a reputation as someone who would “cry wolf,” Mr. Zafirovski told the WSJ.
“I may have been crying wolf,” said Mr. Shields. “That is what my boss was thinking, but the problem was, there was a wolf.”
The digital forensics expert who helped with the investigation “can understand, once [Nortel] started to sell off the company, why they wouldn’t want something like this to come to light.”
“I’m sure some of the people who bought Nortel assets out of the bankruptcy sale wouldn’t have paid as much if they knew they were getting a bunch of computers that were deeply infected with malware.
“Particularly the way Brian got fired [in early 2009] just when he was about to succeed made me and some of my friends really suspicious,” the expert said, adding “in the face of this evidence [Nortel] didn’t really take any action, which was odd.”
Last week, after reading about his report in the WSJ, someone working in the IT department at a buyer of one of the sold Nortel divisions — he declined to say which one; Nortel’s various assets were purchased by several different firms — got in touch with Mr. Shields.
“Can you please help me?” the employee said, according to Mr. Shields.
After learning the employee was the only one handling computer security at his company in addition to several other IT-related responsibilities, Mr. Shields had to decline.
“I said ‘Oh geez, oh man, you’ve already told me more than I needed to know’. They just don’t have people focused on this problem and that is part of the problem,” he said.
Despite an acceleration of high-profile cyber attacks against major global networks in recent years, many executives fail to recognize the potentially devastating nature of such cyber threats, said Gene McLean, vice-president and chief security officer at Telus Corp. from 2001 until 2008.
There is data to support this growing lack of awareness. Last October, security software giant Symantec Corp. released a study that found operators of telecommunications networks, power grids, water systems and other services of vital importance had grown “less concerned about threats and less ready” than they were a year prior even as attacks have grown more frequent and sophisticated.
“If it was a widespread infection — and [Nortel] was a global, well-known, respected organization at that time — you’d have a half-dozen people on that easily to find out what is happening and stop it. Once you’ve done that you certainly need to inform the corner suite; the CEO has to be aware,” Mr. McLean said.
“A good corporate citizen like Telus would certainly jump right on something like that. Others, hard to say.”