Yesterday I read, via Ars Technica, that the malware resided on cash registers (which I’d heard elsewhere before), and that the first step to getting there was via a compromised web server.
And that led to a question in the comments, that sounds like it came from an IT professional:
don’t they have their network segregated into zones!!!? It shouldn’t be possible for a web server to touch a POS system in a store….
The commenter right, it shouldn’t be. But it doesn’t need to be, either.
I don’t have any insider knowledge in how they did it,so everything from here on is my speculation. This isn’t what happened; this is what might have happened. Every network is different, and I have no knowledge of Target’s network.
OK, on with my speculation. Let’s say the bad guys got a webserver. Web servers keep logs. Sysadmins probably look at those logs from time to time. The bad guys can look at them too. The logs are probably more useful to the bad guys than they are to the sysadmins, unfortunately. In this case, the most valuable thing in those logs is information about who accesses the server. If the server only serves external customers, its value depends the bad guys’ goal. It’s great for attacking people outside of Target. If the target is Target’s internal network though, it’s time to keep looking.
Chances are the server lives in the same DMZ or network segment as other web servers. So by attacking nearby servers, they may be able to find something that people inside and outside the network access. It’s possible the web servers trust each other more than they trust any old computer on the Internet, so compromising a second one might not be too hard. Eventually they’re bound to find one that people inside Target’s network access from time to time.
Once they find that, they can plant some malware on a page that the internal clients have been accessing. That information is in the logs. Then it’s just a matter of waiting until the malware beacons back to the bad guys that it’s landed somewhere inside Target’s internal network. Where doesn’t matter all that much; just map out the network while the system is idle, until they find something interesting.
Finding a server that nobody pays attention to would take some time, but probably less time than one would think. I would look for something old, something running Windows NT 4.0 or Windows 2000, to start with. It’s an easier target to attack, since neither OS has had any security updates in almost a decade. A server that old probably is running something important, but it’s not a guarantee. Even if it turns out to be too important, popping that server is worthwhile because it gives another vantage point. Maybe it can see something interesting.
Once an attacker is in that deep, eventually they’re going to find suitable servers to use for command and control operations. And eventually they’re going to find something that can see the cash registers. Segmented networks make the job much harder, but they don’t make it impossible.
None of this was easy, but I suspect once the initial attacker got into a network like Target, if he found himself over his head, getting A-team help probably wasn’t difficult. I understand that frequently a sophisticated attack comes in several waves: the C team gains access to a server somewhere, then as the chances of success increase, the B team takes over, giving way to the A team when the stakes warrant.
As for the question of why this went undetected, it wouldn’t surprise me if a company the size of Target generated a terabyte’s worth of logs per month, based on my own experience in log collection. There’s a lot of noise in a terabyte’s worth of logging to blend into, and I would expect the attackers spent some time watching, just to learn how to blend in, prior to escalating the attack. Staying on the fringes helps. I’m sure Target’s network has stuff on the fringes that shouldn’t be there because I don’t know how a company could be the size and age of Target and not have stuff going on that shouldn’t be.
And keep in mind that the game has changed over the years. In the 1990s, you could be a good hacker if you were bored and willing to sit in front of a keyboard for 18 hours at a time. Today there’s a lot of money at stake, which means you’re facing adversaries who have a great deal more skill than before. Some of those adversaries may be former good guys with a great deal of experience who haven’t been able to find legitimate work for whatever reason.
I do think things will get better. The trouble defenders have been fighting since the 1980s has been that given the choice between security and dancing pigs, consumers will choose dancing pigs every time, if you’ll forgive my cynicism in quoting a cynical joke that security professionals like to tell. But at some point consumers are going to decide their credit cards are getting breached too often and it’s becoming too inconvenient. I don’t know if the threshold is every five years, every year, every month, or every week. What I do know is that once we reach it, the average consumer will finally value security more highly than dancing pigs. And that’s when things will start to get better.