Case Study: Home Depot Attack (2014)

[Professor]

Below is a detailed educational case study of the Home Depot cyberattack (2014), one of the largest data breaches in retail history, similar in many ways to the Target attack but even larger. This case study is aimed at cybersecurity professionals, carders, penetration testers, and students studying POS security, supply chain, and APT attacks.

Case Study: Home Depot Attack (2014)​

Educational Analysis of Massive POS Malware Data Leak​

Time of attack: April – September 2014
Victim: The Home Depot, the world's largest home goods retailer
Scale:

• 56 million compromised bank cards
• 53 million PII records (customer personal information)
  Damage: > $270 million (estimated) - fines, lawsuits, compensation, system upgrades
  Attack type: APT (Advanced Persistent Threat) using custom POS malware (FrameworkPOS / BlackPOS-like)

1. General attack scheme​

[1] Phishing → [2] Access via provider → [3] Network movement → [4] Mass infection of POS → [5] Data collection and leakage

The attack lasted five months, and, as with Target, internal security systems detected anomalies but did not respond.

2. Stage 1: Entry Vector – Compromise of Provider Credentials​

Purpose: HVAC Contractor​

• Home Depot partnered with an undisclosed contractor to supply the HVAC equipment.
• The contractor had remote access to Home Depot systems via VPN for monitoring and maintenance.

How the compromise occurred:​

1. The attackers (the FIN7/Carbanak group, the same one behind the Target attack) carried out a phishing campaign.
2. Credentials (login and password) have been stolen.
3. Via VPN access - login to the Home Depot corporate network.

Error:

• No MFA (Multi-Factor Authentication) for providers.
• No segmentation - access is critical but not restricted.

3. Stage 2: Reconnaissance and Movement through the Network​

What the attackers did:​

• Used Pass-the-Hash (PtH) and Pass-the-Ticket (PtT) attacks to escalate privileges.
• Gained access to the domain controller (Active Directory).
• Conducted a network scan (using legal tools, such as PsExec, Nmap-like utilities).
• Determined POS management servers and IP ranges of cash terminals.

The attackers acted slowly and stealthily, avoiding loud anomalies.

4. Stage 3: Infection of POS systems​

Malware used: FrameworkPOS (aka MalumPOS, NewPosThings)​

• A custom, modified version of BlackPOS (used at Target).
• Written in C++, works in memory (fileless).
• Purpose: RAM scraping – extracting PAN from the RAM of POS terminals.

How it worked:​

1. Uploaded to the central POS software deployment server.
2. Through a legitimate update mechanism - sent to 70,000+ terminals in the US and Canada.
3. Activated with every transaction.

RAM Scraping: Searching for data in memory​

Home Depot's POS systems used a hybrid architecture:

[Card] → [Reading] → [PAN temporarily in PC RAM] → [Encryption] → [Processing]

FrameworkPOS:

• Scanned RAM every 10-15 minutes.
• I searched for data using regular expressions (for example, ^4[0-9]{12,15}$ — Visa).
• Tested the Luhn algorithm for number validation.
• Filtered duplicates and outdated data.
• Saved:
  • PAN
  • Validity period
  • Holder name
  • Store number

The data was stored in memory in clear text, because encryption occurred after transmission to the PC.

5. Step 4: Data Extraction​

Leak mechanism:​

• The collected data was encrypted (AES) and packed.
• Sent to external serversvia:
  • HTTPS traffic to legitimate domains (masking).
  • DNS tunneling.
• C&C servers were located in Russia, Ukraine, China, and Malaysia.

Leak volume:​

• 56 million cards - 40% more than Target.
• 53 million PII - including email, phone, address.
• The data was sold on the darknet under the name "Joker's Stash".

The leak lasted from April to September 2014, but was only discovered in September.

6. Why was the attack not detected?​

6.1 FireEye system worked, but alerts were ignored​

• Home Depot used FireEye —as did Target.
• The system detected suspicious DNS requests and C&C communications.
• However, the security service did not interpret the warnings.
• There was no SOC center with 24/7 monitoring.

Repeating the Target mistake: the technology is there, but the processes are not.

6.2. No network segmentation[​

• POS systems were not isolated into a separate VLAN.
• The attackers moved freely from the HVAC network to the cash registers.

6.3 No DLP and EDR​

• There were no data leak detection (DLP) systems.
• No next-generation endpoint protection (EDR).
• Antivirus did not recognize FrameworkPOS - it is a custom malware.

7. Home Depot's Technical and Organizational Errors​

ERROR	CONSEQUENCES
No MFA for suppliers	Stolen credentials = full access
No network segmentation	Free movement of attackers
Hybrid POS without P2PE	PAN in clear text in PC memory
Using outdated software	Windows XP, vulnerable versions of Java
Ignoring FireEye alerts	The response window has been missed
No centralized monitoring (SIEM)	It is impossible to correlate events

8. Consequences and Lessons​

8.1 Financial and legal consequences​

• Damage: >$270 million
  • $134 million - direct costs (investigation, client notification).
  • $19 million - settlement with banks.
  • $13 million - compensation to clients.
  • Dismissal of CIO and other top managers.
• Loss of trust: loss of reputation, lawsuits.

8.2. Changes after attacks​

• Home Depot has completely rebuilt its IT infrastructure:
  • Implemented P2PE on all terminals.
  • Switched to EMV chip transactions.
  • Implemented tokenization.
  • Installed SIEM and EDR.
  • Trained the staff.
• Tightened supplier access policies.

8.3 Key Lessons​

LESSON	RECOMMENDATION
The supply chain is the weak link	Restrict access, use MFA, ZTNA
Segmentation is a must	VLAN for POS, prohibit access from outside
RAM scraping is a real threat	Use P2PE so that the PAN is never in the PC's memory
Alerts need to be processed	Implement SOC, use SIEM with correlation rules
Update your software	Ditch EOL systems
Encrypt and tokenize	PAN must not be stored or transmitted in clear text.

9. Comparison with the attack on Target​

PARAMETER	TARGET (2013)	HOME DEPOT (2014)
Maps leak	40 million	56 million
Duration	3 weeks	5 months
Input vector	HVAC contractor	HVAC contractor
Malvar	BlackPOS	FrameworkPOS (BlackPOS clone)
Detection system	FireEye	FireEye
Reaction to alerts	Ignored	Ignored
Damage	~$200 million	~$270 million
Consequences	CEO dismissal	CIO dismissal

Bottom line: Home Depot repeated Target's mistakes, even though the Target incident happened just a year earlier.

10. Sources and documentation​

• Home Depot Official Report (2015) - https://investors.homedepot.com
• FBI and DOJ Indict FIN7 Members
• KrebsOnSecurity - An Investigation by Brian Krebs
• MITRE ATT&CK:
  • T1190 – Exploit Public-Facing Application
  • T1059 – Command and Scripting Interpreter
  • T1003 – OS Credential Dumping
  • T1070 – Indicator Removal

Conclusion​

The Home Depot attack is not just a hacker attack, but a systemic failure in cybersecurity:

• Underestimating supply chain risks.
• Lack of basic segmentation.
• Ignoring security signals.
• Outdated POS architecture.

Key lesson:
Technology won't save you if there is no safety culture, processes and accountability.

If you want, I can:

• Prepare an attack kill chain diagram using the MITRE ATT&CK model.
• Create a training pentest scenario based on this case.
• Show how FrameworkPOS analyzes memory (using pseudocode as an example).
• Compare Target, Home Depot, TJX in one table.

Write to me and I will delve into the topic you need!