Target had done a months-long test of FireEye that ended in May and was rolling out the technology throughout the company’s massive IT system. It’s possible that FireEye was still viewed with some skepticism by its minders at the time of the hack, say two people familiar with Target’s security operations. And the SOC manager, Brian Bobo, departed the company in October, according to his LinkedIn page, leaving a crucial post vacant. (Bobo declined to comment.) Yet it was clear Target was getting warnings of a serious compromise. Even the company’s antivirus system, Symantec Endpoint Protection (SYMC), identified suspicious behavior over several days around Thanksgiving—pointing to the same server identified by the FireEye alerts. “The malware utilized is absolutely unsophisticated and uninteresting,” says Jim Walter, director of threat intelligence operations at security technology company McAfee (INTC). If Target had had a firm grasp on its network security environment, he adds, “they absolutely would have observed this behavior occurring on its network.”
Target’s security blunders don’t end there. Its spokeswoman, Molly Snyder, says the intruders had gained access to the system by using stolen credentials from a third-party vendor. Brian Krebs, a security blogger whose site krebsonsecurity.com first broke the news of the Target hack, has reported that the vendor was a refrigeration and heating company near Pittsburgh called Fazio Mechanical Services. A statement on Fazio’s website says its IT systems and security measures are in compliance with industry practices, and its data connection to Target was purely for billing, contract submission, and project management. Target’s system, like any standard corporate network, is segmented so that the most sensitive parts—including customer payments and personal data—are walled off from other parts of the network and, especially, the open Internet. Target’s walls obviously had holes. The hackers’ malware disguised itself with the name BladeLogic, probably to mimic a component in a data center management product, according to a report by Dell SecureWorks (DELL). (SecureWorks is one of many cybersecurity firms that got their hands on the Target malware, which was made public on various websites used by researchers to help other companies fend off similar attacks.) In other words, the hackers cloaked their bad code with the name of legitimate software used by companies to protect cardholder and payment data.
Once their malware was successfully in place on Nov. 30—the data didn’t actually start moving out of Target’s network until Dec. 2—the hackers had almost two weeks to pillage credit card numbers unmolested. According to SecureWorks, the malware was designed to send data automatically to three different U.S. staging points, working only between the hours of 10 a.m. and 6 p.m. Central Standard Time. That was presumably to make sure the outbound data would be submerged in regular working-hours traffic. From there the card information went to Moscow. Seculert, an Israeli security firm, was able to analyze the hackers’ activity on one of the U.S.-based staging points, which showed them eventually taking 11 gigabytes of data stored there to a Moscow-based hosting service called vpsville.ru. Alexander Kiva, spokesman for vpsville.ru, says the company has too many clients to monitor them effectively, and that it hadn’t been contacted by U.S. investigators as of February.If Target’s security team had followed up on the earliest FireEye alerts, it could have been right behind the hackers on their escape path. The malware had user names and passwords for the thieves’ staging servers embedded in the code, according to Jaime Blasco, a researcher for the security firm AlienVault Labs. Target security could have signed in to the servers themselves—located in Ashburn, Va., Provo, Utah, and Los Angeles—and seen the stolen data sitting there waiting for the hackers’ daily pickup. But by the time company investigators figured that out, the data were long gone.
H/t Steve Duckett.
