http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
By Brian Krebs
Krebs on Security
February 5, 2014
Last week, Target told reporters at The Wall Street Journal and Reuters
that the initial intrusion into its systems was traced back to network
credentials that were stolen from a third party vendor. Sources now tell
KrebsOnSecurity that the vendor in question was a refrigeration, heating
and air conditioning subcontractor that has worked at a number of
locations at Target and other top retailers.
Sources close to the investigation said the attackers first broke into the
retailer’s network on Nov. 15, 2013 using network credentials stolen from
Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of
refrigeration and HVAC systems.
Fazio president Ross Fazio confirmed that the U.S. Secret Service visited
his company’s offices in connection with the Target investigation, but
said he was not present when the visit occurred. Fazio Vice President
Daniel Mitsch declined to answer questions about the visit. According to
the company’s homepage, Fazio Mechanical also has done refrigeration and
HVAC projects for specific Trader Joe’s, Whole Foods and BJ’s Wholesale
Club locations in Pennsylvania, Maryland, Ohio, Virginia and West
Virginia.
Target spokeswoman Molly Snyder said the company had no additional
information to share, citing a “very active and ongoing investigation.”
It’s not immediately clear why Target would have given an HVAC company
external network access, or why that access would not be cordoned off from
Target’s payment system network. But according to a cybersecurity expert
at a large retailer who asked not to be named because he did not have
permission to speak on the record, it is common for large retail
operations to have a team that routinely monitors energy consumption and
temperatures in stores to save on costs (particularly at night) and to
alert store managers if temperatures in the stores fluctuate outside of an
acceptable range that could prevent customers from shopping at the store.
[...]
--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/
