The hackers who broke into Target’s corporate network and made off with payment card data for 40 million of its customers gained entry using authentication credentials stolen from a heating, ventilation, and air-conditioning (HVAC) subcontractor that has done work for a variety of other large retailers, according to a report published Wednesday by KrebsOnSecurity.
Reporter Brian Krebs writes:
Sources close to the investigation said the attackers first broke into the retailer’s network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of refrigeration and HVAC systems.
Fazio president Ross Fazio confirmed that the U.S. Secret Service visited his company’s offices in connection with the Target investigation, but said he was not present when the visit occurred. Fazio Vice President Daniel Mitsch declined to answer questions about the visit.
According to the company’s homepage, Fazio Mechanical also has done refrigeration and HVAC projects for specific Trader Joe’s, Whole Foods and BJ’s Wholesale Club locations in Pennsylvania, Maryland, Ohio, Virginia and West Virginia.
Target spokeswoman Molly Snyder said the company had no additional information to share, citing a “very active and ongoing investigation.”
It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network. But according to a cybersecurity expert at a large retailer who asked not to be named because he did not have permission to speak on the record, it is common for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores to save on costs (particularly at night) and to alert store managers if temperatures in the stores fluctuate outside of an acceptable range that could prevent customers from shopping at the store.
“To support this solution, vendors need to be able to remote into the system in order to do maintenance (updates, patches, etc.) or to troubleshoot glitches and connectivity issues with the software,” the source said. “This feeds into the topic of cost savings, with so many solutions in a given organization.
And to save on head count, it is sometimes beneficial to allow a vendor to support versus train or hire extra people.”
Wednesday’s post reports several newly available details, including a timeline of the attack.
The attackers, Krebs says, spent about 13 days uploading their card-stealing malware to a small number of point-of-sale terminals within Target stores to make sure it worked as designed.
They then pushed the malicious software to a majority of Target’s cash registers and actively collected card records captured from live customer transactions.