Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Target HVAC Contractor Says It Was Breached By Hackers

A contractor that provides HVAC (heating, ventilation, and air conditioning) services for Target Corp. said on Thursday that like Target, it too was a victim of a sophisticated cyber attack.

A contractor that provides HVAC (heating, ventilation, and air conditioning) services for Target Corp. said on Thursday that like Target, it too was a victim of a sophisticated cyber attack.

The attack against the contractor, Fazio Mechanical Services, supports earlier claims that it was the vendor attackers stole credentials from in order to breach the retail giant.

Target spokesperson Molly Snyder told SecurityWeek last month that an ongoing forensic investigation indicated that the intruder stole a vendor’s credentials, which were used to access Target’s system.

Target HVAC VendorRoss Fazio, President and Owner of Fazio Mechanical Services, said in a statement that it does maintain a data connection with Target that was used exclusively for electronic billing, contract submission and project management.

The company did not say now many retail locations it maintains a data connection with.

Fazio said his firm does not perform remote monitoring of or control of heating, cooling and refrigeration systems for Target. He also said that Target is the only customer that it provides such management for on a remote basis, and that no other customers have been affected by the breach.

“Like Target, we are a victim of a sophisticated cyber attack operation,” Fazio said in a statement. “We are fully cooperating with the Secret Service and Target to identify the possible cause of the breach and to help create proactive initiatives that will further enhance the security of client/vendor connections making them less vulnerable to future breaches.”

Fazio Mechanical Services was first called out on Feb. 5 by Brian Krebs as the alleged third party vendor connected to the breach as a result of stolen credentials.  

“The recent discovery that the credentials stolen in the Target breach were from an HVAC contractor shows how much we live in a connected world and how insider threats are the hardest to detect since outside attackers look just like employees when they are on the network,” Eric Chiu, president & co-founder of HyTrust, told SecurityWeek. “In this new ‘Internet-of-Things’ world, heating are connected to the same corporate networks that run other systems such as point-of-sale applications and customer databases. This concentration of systems, networks and data creates a treasure trove for attackers looking to steal information.”

Advertisement. Scroll to continue reading.

“The trouble is that a lot of people implementing ‘smart devices’ do not recognize the security risks of placing them on a production network where they can access other sensitive data or systems,” Dwayne Melancon, chief technology officer for Tripwire, said. “This is yet another example of the need for security professionals to take a step back and look at the overall ecosystem of devices and how they are connected. Attackers will find and exploit the weakest link in an interconnected network every time.”

“One thing that isn’t known about this attack: were the same credentials for the HVAC system used on other devices in the network? If so, that is what I would call a rookie mistake,” Melancon said.

“All commercial HVAC systems are computer controlled today,” said Lamar Bailey, director of security research at Tripwire. “The temperature for most big, commercial buildings is set based on time of day and proximity sensors and requires computer access the controls. If there was something wrong with the HVAC settings in one of Target’s properties, they would probably call a contractor, and it’s entirely possible that a repairman with a laptop would need to log on to the network where the HVAC controls are located to troubleshoot the problem.”

“If Target had other network systems, especially the patch delivery server for the POS devices or the POS devices themselves, on the same segment of the network where the contractor logged in it would be relatively simple to infect the network with malware,” Bailey explained. “The contractor may not have known his laptop was compromised with malware, or he could have been one of the lynchpins in the attack. We’ve certainly seen enough movies where the plot hinges on a guy with a clipboard using a repairman ruse to get inside an organization. Based on what we know about this breach that scenario is completely plausible.”

Qualys researchers Billy Rios and Terry McCorkle say they have found 55,000 HVAC systems connected to the Internet, most with basic security vulnerabilities that put them at risk and provide links to numerous other unwitting corporate networks.

Target previously said that it has taken extra precautions such as limiting or updating access to some of its platforms while the investigation continues.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...