In 2015 and 2016 Target Corporation reached settlements of around $50 Million for customers and financial institutions due to an enormous data breach which occurred in 2013.  This breach affected 110 million individuals where the bad guys received Names, phone numbers, physical addresses, and E-mails of customers. This caused a massive follow-on wave of identity theft and bad actors impersonating other people for ill gotten gains.   Target later claimed that they suffered a total loss of nearly $300 Million due to this breach due to lost business, lawsuits, and compensation they had to pay.

How was so much damage done? In simple terms, the bad guys got in through the air conditioner! Technically it was an attack on the HVAC (Heating Venting and Air Conditioning) Units on the buildings to keep their temperatures comfortable, not an attack avenue you considered, did you?

What makes the internet amazing is how billions of devices are interconnected, what makes the internet extremely dangerous is that billions of devices are interconnected.  It is obvious your phone or computer are connected but there are classes of devices you would never think about.  In this case the big HVAC units which sit on the top of buildings are also commonly connected to the Internet, often via the standard network of the facility where they are.  This is so the devices can communicate diagnostic data with the manufacturer, which makes total cost of ownership far less as you can have a technician looking at data from potentially hundreds of units a day to diagnose what is going on versus sending people out to each location.  Better service which is less expensive. The problem is if it is not set up properly you have vendors with access to your network, that means they need to have a user ID and a password. If they do not secure your network login information, then your network isn’t safe.

In this case an attack focused on the HVAC vendor with what’s known as a Phishing attack, or an attack which usually comes disguised as an E-mail to an individual in said company or organization with a link or something to trick that individual to installing bad software (Malware) or to get them to divulge that information.   In this case they used a “Spear Phishing” attack where the bad guys send E-mails with links to malware to specific individuals in a company or organization.  The bad guys do their homework and you have to assume they are working very hard to take random success out of the equation and tie it to planning and execution. You can read up on attacks with regards to installing Malware here: https://ericcrichardson.com/2021/01/20/cyber-smart-the-malware-family-and-attacks/amp/

This information was then used to get access to the HVAC Vendor and they found, in their records, the logon information for Target.  Two hops later and the bad guys got access into the Target network and were able to drop sophisticated software which stole personal data from the registers which are also connected to the network.    For further reading about what you as an individual can do to react to or preventing being victimized see my article on Data Breaches  https://ericcrichardson.com/2021/01/21/planning-and-defending-against-data-breaches/amp/

Many of the more advanced, and therefore more potentially dangerous, attacks use a combination of attack styles and forms of possible malware.  But hackers are always  want more and more access and more and more data, it’s us vs them.

@ericcrichardson

Ericcrichardson@gmail.com