Cybersecurity Lessons from Nortel and Tesla
From Nortel to Tesla: A Tale of Two Whistleblowers
Autumn is a season that invites contemplation. As the leaves turn, the weather cools, and the kids go back to school, it’s a good time to reflect on the events of a lively spring and summer. At iON, recent reports about two major cybersecurity events have certainly got us thinking. While the two stories are separated by several years, they both deal with data theft in industries where intellectual property is crucially important, and both feature individuals who sounded the alarm. How each company responded to the warnings is where the two tales differ and speaks volumes about the importance of knowing the value of your data and the ramifications of failing to protect it.
The first article is Sam Cooper’s recent investigative report for Global News, Inside the Chinese Military Attack on Nortel, which revisits the events surrounding the demise of the former telecom giant in the early 2000’s. From a Canadian’s perspective, the report makes for difficult reading. Frankly, as a Canadian cybersecurity firm, we found it infuriating.
Cooper’s article summarizes how Nortel was the victim of an ongoing, wholesale theft of their research & development materials both from hackers apparently based in Shanghai and, allegedly, by Chinese PhD students employed at the company. Building on revelations previously reported by the Wall Street Journal in 2012 and the National Post in February 2020 — and following up with those reports’ primary sources — Cooper’s article places Nortel’s data theft and subsequent downfall against the backdrop of the near simultaneous rise of the Chinese state champion telco, Huawei.
In 2004, cybersecurity consultant Brian Shields was advised by a colleague that the email account of a Nortel senior executive had been hacked, and he learned that several documents were being sent to IP addresses based in Shanghai. After identifying the extent of the hackers’ activity, Shields reported his findings to Nortel management, but he says his warning was largely met with indifference. The executives changed their passwords and little else, their focus “more on year-to-year profits and innovation budgets” than protecting Nortel’s valuable research. Nortel’s CEO at the time of the initial breach, Frank Dunn, was fired that same year for having presided over two major accounting irregularities, but in a 2012 Wall Street Journal report, Dunn’s successor, Mike Zafirovski, said Shields was known to “cry wolf” and management did not believe the hacking was a real issue.
Shields said the infiltration of Nortel went on practically unabated for ten years, during which time the Shanghai-based hackers had full control of Nortel’s systems and total visibility into everything the company was doing. An unnamed Canadian intelligence expert cited in the article not only confirmed the systematic hacking Shields described but also claimed the same group had planted electronic bugs and spies inside Nortel facilities. He claimed Chinese PhD students hired by Nortel stole research, while agents from the Chinese Communist Party and People’s Liberation Army attempted to compromise Nortel’s managers.
Longtime shareholders and former employees of Nortel can no doubt recall where things went from there. In the years following the crash of the tech bubble in 2000, Nortel was struggling. By 2008, its very survival arguably hinged on landing the Canadian 3G Universal Mobile Telecommunications contract offered by Telus Corp. and BCE Inc. By this point, however, an aggressive new competitor had arrived on the scene.
Founded in 1987 by former Peoples Liberation Army engineer Ren Zhengfei, Huawei was born of the Chinese Communist Party’s 1986-1990 five-year plan to accelerate the development of several industries, including communications. Huawei won the 3G contract in Canada, underbidding Nortel by an estimated 40 percent. In 2009, Nortel declared bankruptcy, completing a huge fall for a company that only five years earlier carried 70% of all Internet communication on its hardware.
That was then…
Fast forward to August 2020, and the attempted ransomware attack on electric carmaker Tesla. Wired Magazine describes what happened in their August 27 article, which surrounds an employee at the company’s Nevada Gigafactory who was offered $1 million dollars to either plug a USB stick with malware into a factory computer or use a factory computer to open an email with a malicious attachment. The individual who made the offer, Egor Igorevich Kriuchkov, was an old associate of the employee, and his plan was to extract sensitive data from Tesla and hold it ransom for several million dollars, threatening to quickly dump the data publicly if the ransom wasn’t paid.
The employee instead notified Tesla, which in turn alerted the FBI. The bureau initiated surveillance on Kriuchkov and arrested him as he tried to flee the country. He is currently in prison awaiting trial, where he is expected to reveal other members of his group to receive a lesser sentence. It is worth noting that Kriuchkov claimed in his FBI-monitored payment meeting with the Tesla employee that one member of his group “is a high-level employee of a government bank in Russia.” The U.S. Attorney’s Office for Nevada did not comment on any potential ties between the hacker group and the Russian government, but Kriuchkov’s testimony may substantiate such links.
While this story had a much happier ending than Nortel’s, there is no denying that Tesla got lucky in this instance.
Points to Ponder
While twelve years separate the end of the Nortel saga and the attempted ransom of Tesla, the unmistakable takeaway from both events is something iON has preached since our inception: If your data is extremely valuable to your organization, it is extremely valuable to malicious actors. If the group targeting Tesla had succeeded, they could have shut down the Gigafactory, delayed shipments, and triggered panic selling of Tesla shares. Furthermore, the value of the data the threat group would have acquired would exceed the amount they intended to receive in ransom. Competitors in markets that disregard U.S. and international laws regarding intellectual property could reverse engineer sensitive design data and use it to accelerate development of electric vehicles to compete with Tesla and erode their market share.
Returning to Nortel, consider that their stolen R&D documents included those with titles like “Photonic Crystals and Large Scale Integration,” “Switching and Tuning Highly Integrated Optical Circuits,” and “Speed Data Over Universal Mobile Telecommunications Service.” As Cooper states in his report, these documents laid the conceptual foundations for subsequent innovations in 3G, 4G, and ultimately 5G technology, the market for the latter now largely dominated by Huawei. While Huawei vehemently denies allegations that they directly benefited from the theft of Nortel’s data, Brian Shields makes a compelling point in the article: “These were the crown jewels of Nortel R&D. It was the future. And the only entity that could benefit from those kinds of documents being stolen, is a competitor.”
Meanwhile, the Tesla story illustrates that ransomware crews have only grown more brazen in the intervening years, and the million dollar bribe speaks to the resources many crews now have at their disposal. If these groups are willing to invest that much in attempts to steal sensitive data, the value of investing in robust cybersecurity measures is clear.
But as our title implies, a pair of whistleblowers are at the heart of both these stories, and there is no denying that the best tools and technology are no substitute for management being receptive to warnings of security breaches from credible sources. However, as encouraging as the Tesla story is, a recent tweet by Alon Gal, a CTO for an Israeli cybersecurity firm, gives us pause
This is the CEO’s response I got for alerting a company worth few billions that an actor is selling access to their network with proven evidences.
I pray to God they get Ransomwared so hard they’ll go bankrupt 😂 pic.twitter.com/TXtnvjQ54V Alon Gal (Under the Breach) (@UnderTheBreach) August 26, 2020
Our work continues…
For more information on the events discussed in this blog, iON recommends the following articles:
Blackwell, Tom (Feb 20, 2020). National Post. Exclusive: Did Huawei bring down Nortel? Corporate espionage, theft, and the parallel rise and fall of two telecom giants.
Cooper, Sam (Aug 25, 2020). Global News. Inside the Chinese military attack on Nortel.
Greenberg, Andy (Aug 27, 2020). Wired. A Tesla Employee Thwarted an Alleged Ransomware Plot.
Bajak, Frank (Aug 28, 2020). The Globe and Mail. Tesla targeted in failed ransomware extortion scheme.
Security Magazine (Aug 31, 2020). Tesla and FBI thwart $1 million Russian Ransomware hack.
You might also like
Lessons Learned from the Hafnium Attack
An Aggressive, Orchestrated, Global AttackGovernment officials and the cybersecurity community are still reeling after learning the extent of the Hafnium attack that was widely reported last week. Reports estimate at least 100,000 organizations have been breached worldwide by the China-based threat group that launched the attack and at least four more groups have been identified…
Team iON braves the cold for Mustard Seed Fundraiser
Emerging from one of the worst cold snaps in recent history, the iON Striders Walking Team took to Calgary’s pathways on February 20th and raised $2,800.00 for the Mustard Seed as part of the Coldest Night of the Year fundraiser (CNOY). This annual event raises much-needed funds for charities across Canada serving those experiencing homelessness,…
Response to the Solar Winds Supply Chain Attack
IMPORTANT ADVISORY The following blog post addresses a recently uncovered major cybersecurity attack that was spread through an update to the SolarWinds Orion network monitoring software. This attack has major implications for both iON clients and any organizations using SolarWinds Orion. FireEye refers to the backdoor as SUNBURST. They are tracking the campaign as UNC2452. Microsoft has labeled the attack “Solarigate” in Windows Defender (the latest Windows Defender update detects and blocks this attack). Background SolarWinds is a software…