Target Breach: HVAC Contractor Systems Investigated

Hackers may have used access credentials stolen from refrigeration and HVAC system contractor Fazio Mechanical Services to gain remote access to Target's network.

Mathew J. Schwartz, Contributor

February 6, 2014

5 Min Read

20 Great Ideas To Steal In 2013

20 Great Ideas To Steal In 2013

20 Great Ideas To Steal (Click image for larger view.)

Did the attackers behind the Target breach hack their way in using access credentials stolen from the retailer's environmental systems contractor?

Investigators from the Secret Service, which is leading the government's investigation into the Target breach, recently visited the offices of Fazio Mechanical Services, a refrigeration and HVAC (heating, ventilation, and air conditioning) systems provider based in Sharpsburg, Penn., security journalist Brian Krebs first reported Wednesday. Officials at Fazio reportedly confirmed -- but otherwise declined to comment on -- the Secret Service visit.

According to unnamed sources cited by Krebs, investigators now believe that Target's attackers first accessed the retailer's network on November 15, 2013, using access credentials that they'd stolen from Fazio Mechanical Services. Theoretically, those access credentials allowed attackers to gain a beachhead inside Target's network, and from there access and infect other Target systems, such as payment processing and point-of-sale (POS) checkout systems.

{image 1}

As of Thursday, Fazio's website was temporarily inaccessible, "due to the site owner reaching his/her bandwidth limit," an error message read. But according to a cached version of the website, the firm serves as a refrigeration and HVAC contractor, and was also responsible for "renovation and new refrigeration systems" at Target stores in Hilliard, Ohio, and Columbia, Md., and for similar projects at a variety of other facilities, including various Shop 'n Save, Trader Joe's, and Whole Foods stores.

Why might Fazio Mechanical Services have had access to Target's network? The answer is because Target -- like any other organization that manages a relatively modern store, factory, or office building -- likely relies on refrigeration and HVAC systems that can be remotely managed by a third party. These contractors monitor and adjust environmental controls. In supermarkets, they also keep a close watch on refrigeration systems.

[Data breaches are taking place is just about every industry. Read Texas Hospital Discloses Huge Breach.]

"HVACs are IP-addressable appliances now, which means they have network access and logins," Dwayne Melancon, CTO of Tripwire, said in an emailed statement. Accordingly, "it wouldn't be unusual for contractors to have an HVAC login," to be able to remotely manage settings, or troubleshoot related device or network problems.

Questions relating to the Target hack will no doubt now center on the security processes in place at Fazio, as well as the controls in place at Target, which -- per Payment Card Industry Data Security Standards (PCI-DSS) regulations -- is liable for any of its third-party contractors' security shortcomings. Notably, PCI requires that merchants "incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties."

One challenge when granting remote access to a third party, however, is that multiple employees may have access to those login credentials. "Technology vendors aren't your typical remote users," said Jeff Swearingen, CEO of SecureLink, which sells remote-access security software, in an emailed statement. "One vendor may have thousands of technicians that require access on a revolving basis. Login credentials issued to Todd on Tuesday may be used by Wendy on Wednesday, and so on."

Which raises questions: Did Target secure Fazio's access to its network using two-factor authentication? What level of network access did Target grant to Fazio, and was Target actively monitoring that access? Finally, were Target's HVAC appliances located on an isolated network segment that should have prevented attackers from accessing other network-connected systems? Asked those questions via email Thursday, Target spokesperson Molly Snyder responded: "Because this is a very active and ongoing investigation, I don't have any additional details at this time."

While the exact details of the attack have yet to be disclosed, the results are well known: Hackers stole 40 million credit and debit cards, as well as personal information on 70 million Target customers.

Target initially said that attackers stole that data between November 27 and December 15, when the discount retailer discovered the malware infection. But this week, Target chief financial officer John Mulligan said in a Senate Judiciary Committee hearing that the malware persisted undetected on 25 more checkout systems until December 18, resulting in the compromise of less than 150 more credit card numbers.

The news that Fazio Mechanical Services is now being eyed by investigators comes after Target disclosed last week that its breach involved stolen third-party vendor credentials. At the time, some reports focused on BMC Software as being the unnamed third party in question.

But BMC Software, which sells BladeLogic and other types of software, has vigorously denied that charge. In a statement issued last week, BMC noted that two supposed clues from the Target breach seen by security researchers -- a file named "bladelogic.exe" that tied to the POS malware used, as well as attackers' use of a password supposedly mentioned in official BMC documentation -- had nothing to do with BMC.

"BMC has confirmed that the password mentioned in the press is not a BMC-generated password," BMC Software said in a statement. In addition, it also cited a McAfee study, which reported that the POS malware's reference to "bladelogic" was only "a method of obfuscation." In other words, the developers behind the malware appear to have disguised their attack code and related processes with names which, upon casual inspection, would look innocuous.

"At this point, there is nothing to suggest that BMC BladeLogic or BMC Performance Assurance has a security flaw or was compromised as part of this attack," said BMC.

Next-gen intrusion-prevention systems have fuller visibility into applications and data. But do newer firewalls make IPS redundant? Also in the The IPS Makeover issue of Dark Reading Tech Digest: Find out what our 2013 Strategic Security Survey respondents have to say about IPS and firewalls. (Free registration required.)

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights