Cyber Incident Victim: Navy Zebra
Date:
Aug 2016
Location:
United States of America
Summary
A subsidiary of Bankcard Services supplying point-of-sale systems to U.S. businesses was compromised as part of a coordinated campaign targeting multiple POS providers. Attackers, suspected to be a Russian cybercrime group leveraging Carbanak malware, infiltrated vendors' servers to steal credentials and establish backdoors, aiming to pivot into retailers' systems for credit card data exfiltration. The breach involved evidence of unauthorized access via two server backdoors, though the company asserted no private data was stored. This incident aligned with broader exploitation of third-party web portal vulnerabilities across the sector, enabling potential credential harvesting and remote system infiltration. The campaign highlighted threat actors' focus on POS supply chains as entry points into retail networks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In August 2016, cybersecurity researchers revealed a coordinated campaign targeting point-of-sale (PoS) system vendors, including Navy Zebra, a subsidiary of Bankcard Services supplying payment systems to 26,000 U.S. businesses. The attacks, attributed to a Russian-speaking cybercrime group, exploited vulnerabilities in vendor servers to implant backdoors and steal credentials. Attackers first compromised PoS vendors' infrastructure, then leveraged stolen credentials to attempt remote access to downstream retailers' systems, where credit card data could be harvested. Navy Zebra confirmed investigating the breach after hackers provided evidence of two separate backdoors on their servers. While the company stated it did not store "private data," the compromised access raised concerns about potential infiltration of its client networks. This incident occurred alongside breaches at four other PoS providers—Oracle's MICROS, Cin7, ECRS, and PAR Technology—collectively impacting over 1 million payment terminals globally.
The attackers employed a consistent methodology across targets, exploiting recently discovered vulnerabilities in third-party web server software. In Navy Zebra's case, an English-speaking hacker claimed to have already sold access to the compromised server prior to public disclosure. Forensic evidence suggested the group used Carbanak malware, historically associated with financial theft exceeding $1 billion, sometimes deployed alongside Dridex banking trojans for initial infiltration. While Navy Zebra did not confirm data exfiltration, the breach's discovery prompted internal investigations and heightened monitoring of merchant systems. The company's public response remained limited to acknowledging the investigation, contrasting with other affected vendors like ECRS and Cin7, which confirmed malware removal and forced password resets. The incident highlighted systemic risks in the PoS supply chain, with attackers targeting vendors as gateways to penetrate retail networks at scale.