Could a breach at a HVAC company specializing in supermarket refrigeration have led to the Target Data breach? Apparently so, according to mega retailer Target and Pennsylvania based Fazio Mechanical Services. This raises a “chilling” possibility that hackers are even more sophisticated in their planning than most believed and can identify and exploit relatively obscure vulnerabilities.
Although Fazio remotely monitors the HVAC systems of many of its customers, leading to concern that this is a point of vulnerability, they assert that this was not the case with Target. Hackers first infected systems at Fazio and then migrated their malware to the Target network through a common connection used to submit bills, and exchange other documents between the companies.
Was this connection simply a “target of opportunity” identified by the hackers during their breach of Fazio or was the Fazio breach part of a campaign against Target where the Fazio connection was identified as a weak link? Either way, it is clear that criminal hackers are borrowing pages from the Advance Persistent Threat playbook original written by cyber war attacks between government, nation and government operatives. Instead casting a wide net with indiscriminate phishing and random spread of malware, APT involves targeting specific victims and elaborate research and planning.
Endpoint security has to be grounded in the principal, not matter how clichéd it may sound, that you are only as strong as you weakest link. One weak link in the Target network has resulted in the compromise of data for as many as 100 million target customers.