icon bookmark-bicon bookmarkicon cameraicon checkicon chevron downicon chevron lefticon chevron righticon chevron upicon closeicon v-compressicon downloadicon editicon v-expandicon fbicon fileicon filtericon flag ruicon full chevron downicon full chevron lefticon full chevron righticon full chevron upicon gpicon insicon mailicon moveicon-musicicon mutedicon nomutedicon okicon v-pauseicon v-playicon searchicon shareicon sign inicon sign upicon stepbackicon stepforicon swipe downicon tagicon tagsicon tgicon trashicon twicon vkicon yticon wticon fm
17 Jan, 2014 10:50

​Target part of a broader cyber-attack, Russian hackers allegedly involved

​Target part of a broader cyber-attack, Russian hackers allegedly involved

A US government classified memo has acknowledged that the Christmas cyber-attack on Target Corp was part of a much broader security breach of a number of US companies. The document alleges that traces of Russian language were detected in the malware.

The first results of the investigation into the holiday hacker attack against Target Corp have been summed up in a secret “Indicators for Network Defenders” memo distributed by the US government among American retailers and financial service companies.

People familiar with the document claim the situation is actually much worse than appraised earlier, the Wall Street Journal reports.

The investigators have confirmed fears that Target was not the only victim of the attack, but have refrained from identifying the other companies that suffered during the Christmas sales craze.

According to Reuters’ source, at least three other well-known national retailers have suffered an attack from the same virus.

On Thursday, luxury retailer Neiman Marcus Group said that it also suffered a theft of clients’ personal data during the holiday shopping period, without mentioning, though, whether its case was somehow related to Target's.

In an attempt to expose the plotters of the attack against Target Corp, America’s third-largest retail company, the US Department of Homeland Security’s National Cybersecurity and Communications Integration Center teamed up with Dallas-based iSight Partners, a cybersecurity company, which distributed its own version of the memo Thursday.

Russian connection?

It has been revealed that the virus used by the international hackers to breach Target’s firewall and compromise the personal data of 70 million people was dubbed by hackers KARTOKHA (“potato” in Russian) first appeared on the international hacker black market last spring.

In fact, it was just the latest virus among many to target point-of-sale (POS) terminals. The most notorious of these viruses are BlackPOS, Dexter and vSkimmer, Reuters reports.

Tiffany Jones, a senior vice president at iSight, described the method and scale of the attack as “unique.” She also noted that the malware was specifically designed to meticulously conceal its data manipulations, making the very detection of the virus in action a very hard task.

The identities of those who bought and accustomed this state-of -the-art, expensive malware program for the Target attack remain unknown. At the same time the investigators claim the source code of the virus contain certain words in Russian, most probably in the comments to the program. This might point to the fact that the source code of the virus was developed with the help of skilled Russian-speaking codeheads from the former Soviet Union.

“The intrusion operators displayed innovation and a high degree of skill,” the iSight report says.

KARTOKHA in action

The memo does not specify how the hackers managed to break into the Target’s networks, but the breach exposed the outdated security tools used in banking. The KARTOKHA virus (codenamed POSRAM Trojan by iSight programmers) could not be identified by any anti-virus software, the memo claims.

Also, it has been found that the actual hacking process was split into two stages. First, the Target Corp plastic card payment devices were infected with the virus, which made copies of personal data encrypted on magnetic stripes on payment cards and stored them on Target’s own servers. Then the hackers broke into the company’s system network to collect the stolen data.

One of the peculiarities of the virus was that it did not operate around the clock, limiting its activities to only prime business hours between 10 am and 5 pm, which also contributed to invisibility of the malware.