So in a way, it’s just like all those action movie and video game cliches where people bypass complicated alarm systems through ridiculously large ventilation ducts…
Anyway, Krebs’s sources say that the attackers first slimed their way into Target’s system on Nov. 15 using network credentials stolen from the Mechanicsburg, PA, HVAC contractor that had been hired to work on numerous Target stores.
The president of the company confirmed to Krebs that his business had recently been visited by the Secret Service, which is in the process of investigating the massive breach, but couldn’t give any further details as he was not there at the time.
So how and why would an HVAC vendor have unfettered access to Target’s network?
The retailer isn’t saying, but Krebs has a theory. A source at another large retailer explains that many retail chains try to save on electric and gas bills by routinely monitoring stores’ energy consumption and temperatures. Thus, any outside vendor involved in this monitoring would need remote access, not just for the purpose of checking the data, but also for patching and updating the monitoring software.
Once the hackers were into the system, they tested their malware by uploading it to a handful of cash registers between Nov. 15 and Thanksgiving. Apparently happy with their results, they then unleashed the malware on the majority of the payment system in a matter of two days.
For more details on the hack, including info on how the attackers collected and stored stolen data on hijacked computers at unwitting businesses, check out the full story on KrebsOnSecurity.com.