HVAC vendor eyed as entry point for Target breach

target hackers
Federal officials are investigating whether an unsuspecting heating and air conditioning company was the door hackers used in the massive breach of Target's computer network.

A heating and air conditioning contractor may have provided the opening hackers exploited in the massive breach of Target's computer network.

And it didn't even know it.

This new information about the Target (TGT) breach highlights the potential for serious vulnerabilities at other major U.S. retailers. It also raises a head-scratcher: How could a heating contractor's password open up the secure systems used to process customer payments?

The contractor -- first identified by independent security researcher Brian Krebs -- said Thursday it was the victim of a breach and was cooperating with federal officials investigating the Target hack.

Who hacked Target?
Who hacked Target?

"Like Target, we are a victim of a sophisticated cyber attack operation," said Ross Fazio, president of Fazio Mechanical Services, in a statement. "We are fully cooperating with the Secret Service and Target to identify the possible cause of the breach."

Fazio declined to elaborate on the nature of the attack, but Target said last week stolen vendor credentials were used in the breach of payment and personal information for as many as 110 million customers.

The company connects to Target's networks for billing and contracts, he said.

Related story: Target to invest in chip-based credit cards

It clearly does not handle customer credit or debit card payments for Target, but security experts say the vendor's stolen credentials helped hackers get past the hard part: getting through companies' fortified outer walls.

"Once an attacker gets in, lateral movement is really difficult to detect because most organizations are perimeter-focused," said Eddie Schwartz with the security association ISACA and vice president of global security solutions at Verizon Enterprise Solutions. He said networks guard against intrusion, but "there's a general expectation of trust once you're inside those walls."

Think of a network as a house, Schwartz said: You can have several doors, each with a different lock, but if just one key is stolen, the perpetrator can get in. Once inside, he can move between rooms and easily hide to avoid detection.

While retailers build defenses around their payment systems, they may not invest as heavily in protecting the systems used by building management.

Related story: Were you charged $9.84? It might be fraud

"They haven't been engineered with security in mind," said Mike Weber, the managing director of Coalfire Labs. "They haven't been built to be secure from a dedicated hacker. They've been built for availability needs, to be up all the time."

His firm audits and performs security tests on corporate networks. He advises clients to build walls between their systems and not use default passwords.

Fazio said his company's "IT system and security measures are in full compliance with industry practices." A law enforcement official familiar with the investigation said the Secret Service was working to determine whether the contractor was involved in the Target breach.

When asked about the contractor's possible role, Target spokeswoman Molly Snyder said she could not comment, citing the ongoing investigation.

CNNMoney Sponsors