Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

Target HVAC Contractor Says It Was Breached By Hackers

A contractor that provides HVAC (heating, ventilation, and air conditioning) services for Target Corp. said on Thursday that like Target, it too was a victim of a sophisticated cyber attack.

A contractor that provides HVAC (heating, ventilation, and air conditioning) services for Target Corp. said on Thursday that like Target, it too was a victim of a sophisticated cyber attack.

The attack against the contractor, Fazio Mechanical Services, supports earlier claims that it was the vendor attackers stole credentials from in order to breach the retail giant.

Target spokesperson Molly Snyder told SecurityWeek last month that an ongoing forensic investigation indicated that the intruder stole a vendor’s credentials, which were used to access Target’s system.

Target HVAC VendorRoss Fazio, President and Owner of Fazio Mechanical Services, said in a statement that it does maintain a data connection with Target that was used exclusively for electronic billing, contract submission and project management.

The company did not say now many retail locations it maintains a data connection with.

Fazio said his firm does not perform remote monitoring of or control of heating, cooling and refrigeration systems for Target. He also said that Target is the only customer that it provides such management for on a remote basis, and that no other customers have been affected by the breach.

“Like Target, we are a victim of a sophisticated cyber attack operation,” Fazio said in a statement. “We are fully cooperating with the Secret Service and Target to identify the possible cause of the breach and to help create proactive initiatives that will further enhance the security of client/vendor connections making them less vulnerable to future breaches.”

Fazio Mechanical Services was first called out on Feb. 5 by Brian Krebs as the alleged third party vendor connected to the breach as a result of stolen credentials.  

“The recent discovery that the credentials stolen in the Target breach were from an HVAC contractor shows how much we live in a connected world and how insider threats are the hardest to detect since outside attackers look just like employees when they are on the network,” Eric Chiu, president & co-founder of HyTrust, told SecurityWeek. “In this new ‘Internet-of-Things’ world, heating are connected to the same corporate networks that run other systems such as point-of-sale applications and customer databases. This concentration of systems, networks and data creates a treasure trove for attackers looking to steal information.”

“The trouble is that a lot of people implementing ‘smart devices’ do not recognize the security risks of placing them on a production network where they can access other sensitive data or systems,” Dwayne Melancon, chief technology officer for Tripwire, said. “This is yet another example of the need for security professionals to take a step back and look at the overall ecosystem of devices and how they are connected. Attackers will find and exploit the weakest link in an interconnected network every time.”

“One thing that isn’t known about this attack: were the same credentials for the HVAC system used on other devices in the network? If so, that is what I would call a rookie mistake,” Melancon said.

“All commercial HVAC systems are computer controlled today,” said Lamar Bailey, director of security research at Tripwire. “The temperature for most big, commercial buildings is set based on time of day and proximity sensors and requires computer access the controls. If there was something wrong with the HVAC settings in one of Target’s properties, they would probably call a contractor, and it’s entirely possible that a repairman with a laptop would need to log on to the network where the HVAC controls are located to troubleshoot the problem.”

“If Target had other network systems, especially the patch delivery server for the POS devices or the POS devices themselves, on the same segment of the network where the contractor logged in it would be relatively simple to infect the network with malware,” Bailey explained. “The contractor may not have known his laptop was compromised with malware, or he could have been one of the lynchpins in the attack. We’ve certainly seen enough movies where the plot hinges on a guy with a clipboard using a repairman ruse to get inside an organization. Based on what we know about this breach that scenario is completely plausible.”

Qualys researchers Billy Rios and Terry McCorkle say they have found 55,000 HVAC systems connected to the Internet, most with basic security vulnerabilities that put them at risk and provide links to numerous other unwitting corporate networks.

Target previously said that it has taken extra precautions such as limiting or updating access to some of its platforms while the investigation continues.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...