The Story

Infiltrating the Target network

The hackers gained access to Target’s network by first stealing credentials from a third party heating and ventilation company based in Pittsburgh called Fazio Mechanical Services.

Fazio Mechanical Services’ system had access to Targets network so that they could monitor and maintain their systems. It is more efficient for target to simply give contractors access to their network, rather than hiring a target employ to moitor the system in house. Fazio Mechanical Services was comprised by a spear phishing attack made by the hackers a few months before the attack on Target.

Using the HVAC company’s credentials, they first installed the malware on the point of sale (POS) devices in a select few stores to first test the efficiency of the software from November 15 to November 28 before expanding to the majority of the stores.The malware copied data from credit cards and stored it in on a compromised Target server.

The Attack

After the initial test phase the hackers installed and uploaded as many as five versions of the malware to the majority of POS devices beginning November 30th. The malware disguised itself as BladeLogic to try to mimic a component used in a data center management product. Until December 2nd, the software collected data.

The malware sent the stolen data to three different U.S. staging points (Virginia, Utah, and California) and only sent the data from 10am to 6pm. This was an attempt to disguise the compromised data as regular business traffic.

Finally on December 2nd, the data started leaving Target’s network and was sent to Moscow. The malware itself had the credentials to access the staging points' servers and could have been easily accessed by Target if they had taken it as a threat. Finally when Federal law enforcement reached out to Target about the breach on December 12th, it was too late. All of the stolen data had been sent and then removed.

Who's to Blame

The hacker was believed to have been known as Rescator because the name was embedded in the exfiltration code of the malware. It is believed that he is also the owner of rescator.so which was a popular black market site for stolen credit cards. The security blogger who originally broke the Target breach story believes that Rescator is Andrey Khodyrevskiy, a 22 year old Ukrainian.

Khodyrevskiy had experience hacking by previously hacked into the Odesskiy forum and stolen 190,000 email addresses. He is currently unable to be reached. However, it is believed that Khodyrevskiy was just one of a group of hackers that breached Target. This is further proven by the fact that most hackers wouldn't leave their names in the code of the malware. There is no confirmed evidence revealing the identity of the hacker(s).