Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

Report Examines Unanswered Questions Around Target Attack

Cybersecurity startup Aorato has published a report around the data breach suffered in 2013 by Target, which investigates some of the techniques used by the attackers to gain access to the company’s networks.

Cybersecurity startup Aorato has published a report around the data breach suffered in 2013 by Target, which investigates some of the techniques used by the attackers to gain access to the company’s networks.

The attack, which resulted in the theft of 40 million payment cards and 70 million personally identifiable information records, caused financial damage of tens of millions of dollars. In a statement made earlier in August, Target reported that, in the second quarter of 2014, it expects to record gross breach-related expenses of $148 million (partially offset by the recognition of a $38 million insurance receivable).

Since the breach came to light, all aspects of the story have been analyzed by the media and security experts, and now, based on publicly available information, Aorato has reviewed the steps taken by the attackers, from the HVAC (heating, ventilation, and air conditioning) contractor breach up to the theft of sensitive information from the retailer’s networks.

In the first phase of the operation, the attackers installed malware (Citadel) on the systems of Target’s HVAC contractor in an effort to steal credentials. Then, the stolen credentials were used to access one of the Web applications made available by the retailer for vendors. However, none of these applications the attackers had access to allowed the arbitrary command execution needed to compromise the underlying server. Experts believe that the cybercriminals leveraged a vulnerability in the application to upload a backdoor that enabled them to upload files and execute commands.

In the next phase, the attackers started searching the Target network for devices hosting sensitive information and point-of-sale (PoS) machines. This was most likely done through the Active Directory service, Aorato said.

After identifying the relevant targets, the cybercrooks stole an access token (NT hash) for a user account with domain admin privileges by utilizing an attack method dubbed “Pass-the-Hash.” With the stolen token in hand, the attackers used Windows commands to create a new domain admin account that gave them persistency and access to additional services.

In phase seven, the attackers used the newly created administrator credentials to propagate to relevant computers. They used various tools to bypass firewalls and other network security solutions, and run remote processes on the machines that stood between them and the loot. Experts believe that the 70 million records containing personal information were stored in a database which the cybercriminals queried by using SQL-related tools.

Aorato assumes that the attackers went after PoS systems because Target was PCI compliant and it did not store credit card information in its databases. The 40 million payment card records were stolen with the aid of the Kaptoxa malware, which scans the memory of PoS machines in search for card data which it saves to a local file.

The files containing sensitive data were periodically copied to an FTP-enabled machine via a remote share. From this location, the files were later sent to an FTP account controlled by the attackers.

“Generally speaking, the Target attackers largely followed the general APT ‘kill chain’ attack model. However, the Target attack presents unique nuances to the model. These nuances stem from the fact that operations aiming to steal credit cards are inherently different from classic APT operations aimed at intelligence gathering and infrastructure sabotage,” Aorato noted in its report.

“The main difference is that credit card-oriented attacks are bound to be revealed in a relatively short time as the monetization path of the attackers must include massive usage of the stolen credit cards that will get detected by the credit cards vendor’s fraud departments.”

Researchers highlight the fact that in such credit card-oriented attacks, cybercriminals don’t invest too much in infrastructure and automation. As in the case of Target, many operations are carried out manually with the aid of various tools; the only automated tasks are performed by the piece of malware used in the attack. In this particular attack, unlike many other APT attacks, the cybercrooks had not created a command and control (C&C) infrastructure, and instead operated everything manually from within the network.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Incident Response

Implementation of security automation can be overwhelming, and has remained a barrier to adoption