Neiman Marcus Tied to Heartland Breach?Experts Say Many Breach Trails Lead Back to Russia
In response to recent news reports, fraud analysts say it's no stretch to assume the Neiman Marcus data breach may have ties to the same criminal group responsible for the 2008 network attack on Heartland Payments Systems Inc. and other entities.
That's because the malware used to capture and steal card data in most of these attacks have been traced to hackers based in Russia and other parts of Eastern Europe (see Target Malware: Exploring the Origins).
But tracking the attacks is one thing, says financial fraud expert Shirley Inscoe, an analyst at consultancy Aite. Taking down the organized crime rings that are behind the attacks is quite another challenge.
"This syndicate [linked to the attacks] is the same group we often refer to as the Russian Mafia," Inscoe says. "They are extremely dangerous on many fronts. There has been little progress in stopping the Russian Mafia's efforts in the past, and as political conditions deteriorate between the U.S. and Russia, there is little hope of international cooperation to shut them down."
A recent Bloomberg news report suggests that the Russian syndicate may be responsible for the theft of more than 160 million credit and debit cards, including the 350,000 breached during the Heartland attack, over the past seven years.
Investigators reportedly say Heartland hacker Albert Gonzalez was likely backed by the same group responsible for the breach at Neiman Marcus, as well as breaches suffered by Citigroup and J.C. Penney Co., which allegedly was one of the retailers compromised around the same time as Heartland.
Neiman Marcus could not be reached for comment about possible connections to those breaches and others.
But Inscoe says all of these attacks are likely connected in some way, because the malware is so easy to obtain in underground forums.
"Law enforcement does try to infiltrate some of these groups, and occasionally makes an arrest," she says. "Unfortunately, this happens too infrequently to put a dent in cyber-crime."
Avivah Litan, a distinguished analyst and fraud expert at consultancy Gartner, says it's difficult to isolate card breaches.
"These criminals are sharing code and malware that target retailer point-of-sale systems," Litan says. "The base code targeting retailers is typically part of a malware family called BlackPOS. In my view, this is how the attacks on Target and Neiman Marcus are linked. They were both based on similar code sets that were customized for their victims. The gangs perpetrating the crimes were different."
Litan does say, however, that the malware being used in most recent retail attacks appears to be well written and deployed.
"The code has multiple modules -- about five or six -- that each has a specific, dedicated function, such as data collection or data exfiltration," she says. "In my view, that's pretty sophisticated."
Gonzalez' link to other hackers in Russia emerged during his prosecution for the Heartland hack, as well as the subsequent indictment of some of his co-conspirators, says Kim Peretti, the former federal prosecutor who helped convict Gonzalez.
In July 2013, Peretti told Information Security Media Group that the indictment of four others connected to Gonzalez revealed the hackers had intricate knowledge of the U.S. payments industry, and they all had ties to Eastern Europe.
The indictments, which included charges against four Russians and a Ukrainian, revealed a number of new details about numerous card breaches, some of which date back to 2005, she said. Those cases are still pending in federal court.
"We see a range of capabilities from these groups," said Peretti, now a partner within Washington-based law firm Alston & Bird LLP's white collar crime group. "In some ways, you might question how remarkable [it is] they [law enforcement officials] were able to find these individuals."
Andrew Komarov, CEO of the cybercrime intelligence firm IntelCrawler, says there's mounting evidence to suggest that Eastern European hackers, such as those in the Heartland and $9 million RBS WorldPay heist, are somehow involved in today's retail attacks.
But taking down international hacking groups is not easy, he says. "When bad actors from country A create a malware program for the POS, like Dexter or BlackPOS, and then hackers from country B use it after a successful intrusion, and country C is used for stolen credit card distribution, proving who was behind the keyboard when the crime was committed gives law enforcement fits."