Target hackers hit air-conditioning firm first as a way in

Target hackers hit air-conditioning firm first as a way in

Summary: A compromised refrigeration and air-conditioning company may be the starting point to one of the worst security breaches in the US.

TOPICS: Security

The hackers that broke into Target's network and lifted millions of payment card numbers used a local cooling and heating company's credentials to pull off the heist.

One the US's biggest breaches has been traced back to a supplier of refrigeration and air-conditioning equipment and services for retailers.

According to security reporter Brian Krebs, people involved in the Target investigation claim that before hacking into Target's network — which allowed them to install malware on the retailer's point of sale machines —they hacked one of Target's suppliers, a Pennsylvania-based company.

Target has declined to confirm the details in the report. "Because this is a very active and ongoing investigation, I don't have any additional details at this time," a Target spokesperson told ZDNet.  

Last week, Target told reporters that its forensic investigation indicated the hackers gained access to its system via "a vendor's credentials" without clarifying the specific supplier or system.

An unnamed security expert told Krebs that one reason a refrigeration supplier would have remote access credentials to Target's network is that they often also supply temperature and energy monitoring services to ensure stores stay within an acceptable range. While the monitoring system itself sits within Target's network, vendors that support them often require remote access to fix bugs or apply patches to the systems.

The report also sheds more light on when the hackers first installed the POS and how they moved the credit card details out.

Investigators told Krebs the hackers initially installed their card stealing malware to a small number of Target's cash registers between November 15 and 28. (That's a few weeks before the breach was initially thought to have begun, and nearly a month after Target confirmed it had happened.)

That two week period allowed testing to occur ahead of the full scale rollout to the the majority of Target's POS devices, which was complete by the end of November.

While the hackers are suspected to be located in Eastern Europe or Russia, they also used drop servers in the US and Brazil from where they picked up the stolen data.

Security company Mandiant issued a report late last year noting an increase since 2012 in the number of breaches at outsourcers and managed service providers, exploiting their privileges to gain access to a primary target.

ZDNet has asked Target for comment on the story, and will update the article if it receives one.

More on the Target breach

Topic: Security

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Target should have protected their network better

    Systems like Air Conditions, Heating and security should always have remote stand alone systems with separate security access only to that stand alone system. I don't understand why Target would even let these systems be part of their network. Private vendors can still access their systems remotely and update their software without ever having access to the main network.
    • Agreed

      a few place we deal with do just that. With the cost of some of these systems installations, the added cost of segregating and maintaining the building system network is likely negligible.
      • It may be negilable but

        you will always get some penny pinching pencil neck that would throw his / her mother under the bus to save a couple of hundred dollars.

        Let's think about this. Save $500 to avoid putting a standalone computer in or spend millions due to a data breach. Okay, okay, give me a minute. Don't rush me now. Okay, can you give me a hint? What was the question again?
        • The same mentality as ...

          Spend maybe $50 more each to shield the gas tank from rear end collisions, or ...

          Business should have learned THAT lesson in the 1970s!
        • @dave: That's because millions of dollars confuse managers,

          but $500.00 they can fully comprehend!

      • there is a cost to do that

        budget too tight to give a dedicated computer for every outside vendor, so companies do have shortcuts. even after several infestations, cutting budget is still a greater priority
  • Dirk Gently

    The fundamental interconnectedness of all things.

    Douglas Adams
    Alan Smithie
  • Even if the systems are separate.......

    .....they probably connect through the SAME ROUTER!
    Even if you have different routers, they probably somwhere go though the same ISP.
    Data bleeds though SOMEWHERE, which is a potential weak point!
    Both routers and ISPs are know to have been hacked!
    • yes but

      Yes But router hacks are more difficult. Multiple barriers are needed
  • Classic

    They went in through an air vent? Classic! It's like a bad movie.
    • And nobody heard the clomping sounds?

      Crawling through an air vent makes noise. The electronic equivalent makes "noise" also, but apparently nobody was listening.
  • Home HVAC

    I just wacked my NEST with a baseball bat. Back to the old fashion donut dial.
    NJ Joe
  • I wonder which came first

    Was the group's first step to hit a utility/service provider to see a list of targets that could be exploited by vendor access, or was the main goal to hit Target so the first step was to find a weaker (security wise) outside vendor. ?
    Also, it could have been credentials for that vendor were bought thru the electronic black market and it did not require any hacking skills.