The massive data breach that struck Target over the holiday shopping season may have been part of a larger, unprecedented attack on U.S. retailers by Russian hackers, according to a new report by cyber security firm iSIGHT Partners and the U.S. Secret Service. The Associated Press explains that the malicious software hackers used to steal personal customer data from retailers' point of sales systems is almost certainly derived from BlackPOS software, which uses malware script from Russia.
The confidential report, sent to retailers on Thursday, notes that though "the use of malware to compromise payment information storage systems is not new," this is "the first time we have seen this attack at this scale and sophistication." According to the report, the invasive code poses a threat to retailers because it is incredibly difficult to trace. The AP reports:
Because this kind of software can "cover its own tracks," it's not possible to determine the scale, scope and reach of the breach without detailed forensic analysis. "Organizations may not know they are infected," the report said. "Once infected, they may not be able to determine how much data has been lost."
According to the analysts, the malware code was first distributed months ago and victims are still vulnerable to theft. Bloomberg notes:
The electronic break-ins may involve multiple groups of hackers who appear to be working from a sophisticated piece of software code that began circulating on underground websites last June... “We haven’t seen the last of this,” said iSIGHT Chief Executive Officer John Watters in an interview. “Now it’s a race to the bank with the criminals rushing to hijack the data and convert it into criminal gain before the door to profitability is closed.”
Though the report does not name specific retailers that were affected by the code it called "Kaptoxa" (which just means Russian code string), it strongly suggests that this is the type of software that would have affected Target and Neiman Marcus. The report also offers evidence that the attack on both retailers was linked, making it an even greater breach than previously suspected.
But other analysts don't necessarily see a direct link between the two breaches. Cyber security firm Seculert analyzed a sample of the Target malware and found that the attack was two-pronged — infecting Target's PoS systems and remaining undetected for six days before transmitting data back to the hackers — but did not link it to the attack on Neiman Marcus:
On December 2, the malware began transmitting payloads of stolen data to a FTP server of what appears to be a hijacked website. These transmissions occurred several times a day over a 2 week period. Also on December 2, the cyber criminals behind the attack used a virtual private server (VPS) located in Russia to download the stolen data from the FTP. They continued to download the data over 2 weeks for a total of 11 GBS of stolen sensitive customer information. While none of this data remains on the FTP server today, analysis of publicly available access logs indicates that Target was the only retailer affected. So far there is no indication of any relationship to the Neiman Marcus attack.
Especially concerning to Target customers is that, according to an email from the company, shoppers who patronized the store anytime in the past ten years could have had data stolen. Forbes' Clare O'Connor said she received an email from the company warning that her personal information could have been compromised - even though she hadn't purchased anything from Target since 2004. She writes:
I checked my online banking summary to be certain a Target.com purchase hadn’t slipped my mind. Nope. Nothing. So, what gives? I called Target to ask. “The email that guests have received in the past week was to inform them of the second announcement related to partial personal data that had been obtained by Target through the normal course of our business, but not necessarily just during the November 27 – December 15 time frame,” a Target spokesperson said. Meaning my personal data from that bath towel purchase in 2004 was stolen during this breach? “I don’t have the specific time frame, but yes, that is the idea,” the press officer told me.
I just now got the email from Target that my information "may have been taken." I ordered something online from them in 2010.— Megan McCarthy (@Megan) January 16, 2014
Target has not yet commented on the iSight report. The last official statements from the company reported that the information of up to an additional 70 million customers, on top of the originally reported 40 million, could have been breached, and that stockholders should expect lower Q4 returns than initially projected. Compared to that, "we may have been part of a massive international data breach," might not be look so bad.