Breach, Threat Management, Data Security, Malware

Report: Neiman Marcus breach work of Russian hackers who targeted Heartland

An evasive Russian hacking group, charged with stealing over 160 million card numbers  from numerous retailers and other organizations, is believed to be behind a major payment card breach at Neiman Marcus.

On Monday, Bloomberg Businessweek reported on the criminal organization, linking it to attacks on more than 100 companies over the years, including payment processor Heartland Payment Systems, Visa and JetBlue Airways.

Some retailers struck by the group, include 7-Eleven, J.C. Penney and France-based Carrefour SA, Bloomberg revealed.

Two former U.S. officials, who asked to remain anonymous, told the outlet that attempts to shut down the hacking network have “failed despite international sting operations and secret meetings with Russian intelligence officials,” the article said.

The group's operations, which date back to as early as August 2005 according to court documents (PDF), persisted even as central figures were captured or charged by law enforcement.

Last July, federal prosecutors in New Jersey charged five men for their involvement in the ring. The alleged Russian hackers, Vladimir Drinkman, Roman Kotov, Dmitriy Smilianets and Aleksandr Kalinin, along with Ukrainian Mikhail Rytikov, were named in an indictment unsealed by the U.S. attorney's office.

Albert Gonzalez pleaded guilty in Dec. 2009 to hacking Heartland Payment Systems, as well as retailers Hannaford Bros. and 7-Eleven, and was sentenced to 20 years in prison the following year for his crimes. But the July 2013 indictment charging Drinkman, Kotov, Smilianets and Kalinin with attacking Heartland and other businesses, also named Gonzalez as a co-conspirator in the schemes. Instant messages between the named individuals were also published in the court documents (starting on page 19). 

The more recent breach of Neiman Marcus, which was announced in January and is now being tied to the exploits of the Russian group, was originally said to have compromised 1.1 million customer card accounts. 

Now, the upscale retailer suggests that fewer cards (around 350,000) were actually impacted by malware on its payment systems.

On Monday, Avivah Litan, vice president and distinguished analyst at research firm Gartner, told via email that the criminal groups targeting retailers, including those that breached Target, appear to be sharing a common base code that is often part of the malware family, BlackPOS.

“From a big picture view and from what my sources tell me – these criminals are sharing code and malware that target retailer point-of-sale systems,” Litan wrote. “The code is out there and various criminal groups start with that code base and embellish it for individual retailers, such as Target.”

She later explained why international law enforcement efforts often stop short of completely dismantling organized hacking groups, even after central figures are captured.

“It doesn't help either that their governments (i.e. Russia and the Ukraine) often give them immunity because these hackers often contribute to their government leaders, either financially, or by offering technical services for free,” Litan said. “The only time these governments want to help catch these crooks is when they start stealing from their fellow citizens."

[This article was updated from an earlier version to include details on Albert Gonzalez, who was sentenced in 2010 for crimes related to the Heartland hack and attacks on other businesses.]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.