In September 2013, employees at Fazio Mechanical, an HVAC company, were busy with their regular tasks. They had a contract with Target, which gave them access to various Target web applications for billing, contract submission, and project management. However, a single phishing email changed everything, setting off a chain of events that led to one of the most significant data breaches in history.
The Attack Unfolds
A Fazio employee downloaded a seemingly harmless PDF, unleashing the Citadel trojan. This spyware was adept at stealing credentials through keylogging, screenshotting, and even video capturing. It could inject fake input forms on legitimate websites, tricking users into entering sensitive information.
Fazio’s security measures, limited to the free version of Malwarebytes, were insufficient. Hackers obtained credentials to access Target’s contractor-only websites. Despite not having direct server access, an exploit allowed remote code execution, enabling the installation of a backdoor on Target’s servers.
Breach Mechanics
Drawing parallels with the Heartland breach, the hackers likely used SQL injection or uploaded a malicious PHP script via a document upload feature. This allowed them to execute code on the server, gaining initial access to Target’s network. The attackers took two months to infiltrate the network and control a web server, aiming ultimately to steal credit card data from point-of-sale (POS) systems.
Privilege Escalation and Network Exploitation
Using weak passwords, missing security patches, and Active Directory vulnerabilities, the hackers escalated their privileges. They reached highly permissive user accounts, including the Domain Administrator. Target’s lack of network segmentation and firewalling between corporate and payment devices made the POS systems vulnerable.
Credit Card Theft
The attackers installed BlackPOS malware on POS systems, which scraped credit card data from memory. This data was encrypted, stored, and periodically transferred to a compromised internal server, then to a Russian FTP server. The breach went unnoticed for weeks, stealing 40 million credit and debit cards and 70 million records of non-financial customer data.
Security Failures and Aftermath
Target’s malware intrusion system detected the exfiltration malware but dismissed the alerts as false positives. Only when the Department of Justice notified Target of suspicious activity did they begin an internal investigation, taking control by December 15.
The breach severely impacted Target’s finances, with net profits dropping 46% in Q4, and damaged customer trust. The CEO resigned, partially due to the breach, receiving a $61 million severance package.
Lessons Learned
The primary issue was poor network segmentation. Implementing a zero-trust security model is crucial, assuming internal network breaches are possible and designing systems to minimize damage.
By February the following year, Target had significantly improved its security posture, commissioning a pentest and investing in a cyber fusion center. Modern POS systems now favor EMV cards, reducing the effectiveness of similar attacks.
Conclusion
The Target data breach underscores the importance of robust cybersecurity measures. For CEOs and CTOs, the key takeaways are:
- Implement zero-trust security to minimize internal breach impacts.
- Ensure comprehensive network segmentation and strong firewalling.
- Regularly update security patches and avoid weak or default passwords.
- Invest in advanced threat detection and response systems.
By learning from past breaches, organizations can better protect themselves against sophisticated cyber threats and maintain customer trust.