Target could be fined from $400 million to $1.1 billion after hackers stole credit card numbers from up to 110 million of its customers, according to retail analysts at Jefferies.
Details are slowly trickling out on exactly how the hackers—believed to be Russian and Eastern European—infected Target’s networks between Nov. 27 and Dec. 15, 2013. What is known is that Target was likely compromised through a seemingly unlikely source: a refrigeration and HVAC (heating, ventilation, and air conditioning) company that it hired as a contractor.
The source of the breach is very telling, however, and while Target is now the center of attention for the security community and the defendant in nearly 70 class-action lawsuits, it is merely the most visible victim of a very common method of attack.
Hackers look for the weakest link in a company’s security. As large companies become more privy to cybersecurity, the easiest ways in become the contractors who often are not required to follow strict standards on security, but are given access to the company’s facilities and networks.
“The aggressors or the adversaries are always going to go for the weakest link, and that’s the supply chain,” said Casey Fleming, CEO of BlackOps Partners Corporation, which does counterintelligence and protection of trade secrets for Fortune 500 companies. “Adversaries continually search for weakness in both human and cyber elements of security whether it’s directly with the target entity or its extended supply chain.”
Low Hanging Fruit
This holds true even for the militaries of several countries, where hackers would rather go for the low hanging fruit than risk direct attacks against military networks.
Security company Kaspersky uncovered a large campaign last September that went after the defense supply chain of Japan and South Korea chain. Between 2011 and 2013, Chinese hackers had gone after Japanese and South Korean targets including military contractors, ship builders, and satellite operators.
Similar attacks have been launched against defense contractors in the U.S. Bloomberg reported in May 2013 that in attacks going back to at least 2007 Chinese hackers “raided the databanks of almost every major U.S. defense contractor and made off with some of the country’s most closely guarded technological secrets…”
The Pentagon has tried repeatedly to secure military contractors, but progress has been slow. Programs include security training for contractors, and in October 2013 the Department of Defense put a plan in place to secure the military’s unclassified contractor networks.
In Fleming’s line of work, it is common to find companies breached through contractors—and sources of attacks range from cybercriminals to nation-states.
“It’s going to get much worse, with respect to the economic war that we’re in, it’s way too lucrative to steal trade secrets or customer information. “We already see it getting worse due to the thirst for continued growth in nation-states including China and Russia.”
Investigations are ongoing as to exactly how Target was hacked, but security journalist Brian Krebs reported Feb. 5 that hackers broke into Target’s networks through Pennsylvania-based refrigeration and HVAC company Fazio Mechanical Services. The company has worked with several major outlets, including Trader Joe’s, Whole Foods, and BJ’s Wholesale Club.
Initial reports said the hackers may have breached Target’s systems through remote-access to its climate control systems. Systems such as these are installed by Fazio Mechanical Services, and can be linked into a company’s overall networks.
Ross Fazio, president of Fazio Mechanical Services, said in a statement that his company was also a victim in the attack, and did not have remote access to Target’s climate control systems. He did say, however, that his company had remote access to Target’s networks “exclusively for electronic billing, contract submission and project management.”
Fleming noted that while the Target breach may sound a warning bell around cybersecurity, it could also draw unwanted attention. He said the attack “is going to open up the floodgates on adversaries trying to get customer information with the intent of identity theft.”