The Washington Post

Target breach may be part of wider attack

The security breach that hit Target Corp. during the holiday season seemed to be part of a broader and highly sophisticated scam that affected several retailers, says a report published by a global cyber intelligence firm that works with the U.S. Secret Service and the Department of Homeland Security, Thursday, Jan. 16, 2014. (AP Photo/Steven Senne, File) (Steven Senne/AP)

The malware that may have infected Target may also have affected a “large number” of other retail information systems, according to a report Thursday from security researchers and government officials.

A brief summary of the report, posted by the Dallas-based iSight partners security firm, said that a piece of malicious software known as KAPTOXA is targeting retailers’ point-of-sale systems. The company did not name specific retailers, but indicated that its investigation began on Dec. 18, the day before Target first announced that a breach had affected as many as 40 million customers. The company later broadened its estimate to say that the attack may have compromised the information of up to 110 million customers.

The report indicates that the malware is designed to “hook” into payment application programs to spy on the information they store in certain parts of the systems’ memory. When payments are authorized, that information must be decrypted, and the malware is able to identify and take that information.

The malicious software used in this attack bears strong similarities to other malware for sale on the Russian-language underground, specifically designed to attack retailer sale systems, the report said.

Parts of the attack on Target and other retailers — which the report did not identify by name — were technically sophisticated, the report said. What truly made the attack unique, however, was its level of coordination. Without offering much detail, the researchers said that the perpetrators of this attack “leveraged a variety of other tools” to break into targeted networks

Target apologized to its customers in full-page ads in several major newspapers over its recent security breach. (Reuters)

“The intrusion operators displayed innovation and a high degree of skill in orchestrating the various components of the activity,” the report said.

The Department of Homeland Security has not made its report, which lays out what actions industry organizations can take to defend their networks, available to the public.

The department did, however, say that it continues to work closely with public- and private-sector partners to investigate this and other cyber threats.

“Information sharing is a key part of the Department of Homeland Security’s (DHS) important mission to create shared situational awareness of malicious cyber activity,” DHS spokesman S.Y. Lee said in a statement.

The report from iSight indicates that KAPTOXA was derived from another type of malicious software that affects store registers called “BlackPOS.” Cybersecurity reporter Brian Krebs noted that similarity Wednesday, saying that the malware used in the target attack bore similarities to that software, which he called a “relatively crude but effective” piece of software sold to cybercriminals on software forums.

These malware kits, cybersecurity experts have said, have made it easier than ever for criminals with less sophisticated skills to conduct major attacks.

“It used to be that you had to have a sophisticated nation-state funding” to execute this kind of attack, said Dave Burg, Global & U.S. Advisory Cyber Security Leader at PricewaterhouseCoopers. “We’re now seeing a commoditization which results in the increased likelihood of attack.”

Hayley Tsukayama covers consumer technology for The Washington Post.



Success! Check your inbox for details. You might also like:

Please enter a valid email address

See all newsletters

Show Comments
Most Read



Success! Check your inbox for details.

See all newsletters

Your Three. Video curated for you.

To keep reading, please enter your email address.

You’ll also receive from The Washington Post:
  • A free 6-week digital subscription
  • Our daily newsletter in your inbox

Please enter a valid email address

I have read and agree to the Terms of Service and Privacy Policy.

Please indicate agreement.

Thank you.

Check your inbox. We’ve sent an email explaining how to set up an account and activate your free digital subscription.