Credentials Used For Target Hack Reportedly Stolen From HVAC Vendor

Okay, so the hackers didn't actually go through the ventilation system, but tell us this isn't the first thing you thought of.

Okay, so the hackers didn’t actually go through the ventilation system, but tell us this isn’t the first thing you thought of.

When it was first revealed that the hackers who compromised Target’s in-store payment processing system had used stolen vendor credentials to breach the retailer’s network, many probably assumed that the vendor was some sort of IT or security consultant. But a new report from cybersecurity expert and journalist Brian Krebs says it appears that the entry point into the system was through a refrigeration, heating and cooling company in Pennsylvania.

So in a way, it’s just like all those action movie and video game cliches where people bypass complicated alarm systems through ridiculously large ventilation ducts…

Anyway, Krebs’s sources say that the attackers first slimed their way into Target’s system on Nov. 15 using network credentials stolen from the Mechanicsburg, PA, HVAC contractor that had been hired to work on numerous Target stores.

The president of the company confirmed to Krebs that his business had recently been visited by the Secret Service, which is in the process of investigating the massive breach, but couldn’t give any further details as he was not there at the time.

So how and why would an HVAC vendor have unfettered access to Target’s network?

The retailer isn’t saying, but Krebs has a theory. A source at another large retailer explains that many retail chains try to save on electric and gas bills by routinely monitoring stores’ energy consumption and temperatures. Thus, any outside vendor involved in this monitoring would need remote access, not just for the purpose of checking the data, but also for patching and updating the monitoring software.

Once the hackers were into the system, they tested their malware by uploading it to a handful of cash registers between Nov. 15 and Thanksgiving. Apparently happy with their results, they then unleashed the malware on the majority of the payment system in a matter of two days.

For more details on the hack, including info on how the attackers collected and stored stolen data on hijacked computers at unwitting businesses, check out the full story on KrebsOnSecurity.com.

Read Comments2

Edit Your Comment

  1. CommonC3nts says:

    Target could have isolated the POS system from their HVAC with firewalls.
    But now who gets sued for all the losses? Target or the HVAC vendor?

    • C0Y0TY says:

      Both share liability for inadequate security. The vendor’s security allowed hackers into its system, which allowed them into Target’s inadequate system. Target can sue the vendor, but is still responsible for its own sloppiness.