A Target Corp. security team in Bangalore, India alerted company officials Nov. 30 of a possible infection and data breach… a warning to which Target management failed to respond, according to new reports.
Using a $1.6 million malware-detection system designed and installed by security firm FireEye, Inc. six months before, a Target security team set up in Bangalore to provide around-the-clock monitoring of Target’s digital security spotted signs of malware that had penetrated Target systems but was not yet active, according to a March 13 report from Bloomberg Businessweek that represents the most complete description of what went on behind the scenes of what turned out to be the largest data breach ever recorded of a U.S. corporation.
Using the FireEye anti-malware, intrusion-prevention system, Target IT staffers in Bangalore spotted the intrusion as the hackers were installing software that would eventually sneak stolen card data out of Target’s systems. The exfiltration process involved several layers of encryption and camouflage that hid the theft under layers of encryption, malware files renamed to look like anti-virus software, and use of staging servers that allowed data to be moved to multiple locations inside Target and then to various places around the U.S. before finally being delivered to a set of servers in Russia believed to be those from which the attack was launched, according to Bloomberg.
The Bangalore team documented the intrusion and warned the lead security team in Target’s Minneapolis headquarters – and got no reaction.
Target security people, researchers and law-enforcement officials interviewed by Bloomberg all talked about the FireEye system and said it worked beautifully, according to the story. But none could say why the warning from Bangalore went unheeded. They also couldn’t say why a second warning – prompted by alerts Dec. 2 caused by the hackers’ installation of another version of the malware, was also ignored.
The FireEye security systems set themselves up as a combination of firewall, gateway and honeypot, filtering Internet traffic on the way into a customer network and into Multi-Vector Virtual Execution (MVX) engines that “detonate” suspicious traffic by turning them loose within virtual machines, rather than the real thing. FireEye monitors malware as it unfolds and installs itself, recording the file names, locations in which it installs itself, and attempts to call back to command-and-control servers, according to FireEye documentation.
On Nov. 30, Bloomberg reported, FireEye flagged a “malware.binary” and a list of target servers for the data it stole. “The breach could have been stopped there without human intervention. The system has an option to automatically delete malware as it’s detected. But according to two people who audited FireEye’s performance after the breach, Target’s security team turned that function off,” according to Bloomberg, whose story is based on its own painstaking investigation and interviews with anonymous sources involved in the investigation but who are not authorized to talk.
Target’s Symanted Endpoint Protection system also flagged some activity as a potential infection during the week of Thanksgiving, which fell on Nov. 28.
Target’s FAQ on the subject says the breach began Nov. 27 and lasted until the malware installation was discovered and shut down Dec. 15, though several reports indicated the same malware was still active until at least Dec. 18. The malware installation didn’t actually start sending card data back to Moscow until Dec. 2, according to analyses by Dell Computer, Inc.’s security subsidiary SecureWorks and the Israeli SecureAlert, which estimated the take totaled 11GB of data routed through several U.S.-based staging servers before heading to an account at Moscow-based Russian hosting provider vpsville.ru.
Embedded in the malware were names and passwords for the CnC servers, staging servers and destination servers, which could have led Target security to stolen data on staging servers waiting to be sent to Moscow and eventually to the hacker’s home account in Moscow, according to Bloomberg.
Target managers only officially learned about and responded to the breach Dec. 12, however, after FBI officials called to warn that they learned of the breach and had actually captured some of the data from one of the hackers’ staging servers, Bloomberg reported, citing a source familiar with the federal investigation.
On March 10, Target delivered documents explaining the breach, including a timeline of what its executives knew and when, to the House Committee on Oversight and Government Reform. So far, there is no indication of whether the company acknowledged it had early warning of the breach and sufficient opportunity to shut it down, or any explanation of why they chose not to do so.
Image: Shutterstock.com/Rob Wilson