The Air Ducts! How Target's Hackers Broke Into the Network to Initiate the Credit Card Breach
Last week, it wasn't clear how the hackers who caused Target's massive credit card breach got into the company's payment system: it was just clear that credentials were stolen or hacked. In a report from Krebs on Security on Wednesday, the answer might have been found -- and it's stranger than you might guess.
Hackers who broke into Target's corporate network and inserted malware responsible for one of the largest retail cyber security breaches in history apparently got into the system using the oldest trick in the books -- through the air ducts. Through network authentication credentials stolen from a heating, ventilation, and air-conditioning (HVAC) contractor, to be exact.
Cyber security expert Brian Krebs, who was the first to report the credit card breach at one of the U.S.'s largest retail chains, wrote in his blog KrebsOnSecurity that the "initial intrusion into [Target's] systems was traced back to network credentials that were stolen from a third party vender ... a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers."
Kreb's sources pointed out the vendor, a Sharpsburg, Pennsylvania-based HVAC and refrigeration company called Fazio Mechanical Services, as the point of entry for the hackers, who first broke into Target's systems on Nov. 15, 2013. The hackers apparently made quick work of Target's network security, as the credit card breach began a week later on Nov. 27.
Why Target would give an HVAC company network access may seem puzzling at first, but according to Kreb's anonymous sources, it's common for large retail stores to monitor energy consumption and temperatures to save on costs.
"To support this solution, vendors need to be able to remote into the system in order to do maintenance (updates, patches, etc.) or to troubleshoot glitches and connectivity issues with the software," said Kreb's source. "This feeds into the topic of cost savings, with so many solutions in a given organization. And to save on head count, it is sometimes beneficial to allow a vendor to support versus train or hire extra people."
Krebs' report says that between Nov. 15 and Thanksgiving, on Nov. 28, the attackers uploaded the credit card information-swiping malware -- which monitors a computer's active memory (RAM) and scoops up card numbers, expiration dates, and security codes while they are briefly unencrypted -- into just a few number of cash registers within Target stores. But by the start of December -- well into the holiday shopping rush -- "the intruders had pushed their malware to a majority of Target's point-of-sale devices, and were actively collecting card records from live customer transactions."
Representatives from Target and Neiman Marcus visited Capitol Hill on Tuesday, testifying in a hearing on the cyber security breaches and telling Congress that the problem will continue for many major retailers. "The unfortunate reality is that we suffered a breach, and all businesses -- and their customers -- are facing increasingly sophisticated threats from cyber criminals," Target chief financial officer John J. Mulligan said. "In fact, recent news reports have indicated that several other companies have been subjected to similar attacks."
New legislation is likely to be enacted in response to the unprecedented credit card breach, likely requiring retailers and credit card companies to adopt new cyber security technology, as well as requiring companies who experience a credit card breach to inform the public with less delay.
For more details on how the hackers got into Target's network and how they extracted the credit card information, check out KrebsOnSecurity.