Hartford Financial Malware Incident

The Connecticut-based, Fortune 100 company, Hartford Financial Services Group, one of the largest investment and insurance companies in the US, has reported a password-stealing Trojan found on a number of the company’s internal servers.

A letter sent to the affected employees says, “Hartford has detected a virus that infected our Windows server environment, which may have resulted in the capture of your personal information.  At this time, we do not know what, if any, personal information the virus may have captured from your session. We do know that the virus has the potential to capture confidential data such as bank account numbers, social security numbers, user accounts/logins, passwords, and credit card numbers.”

The the W32-Qakbot Trojan malware event was detected first on February 28th, and an investigation traced it back to a February 22nd start time.  A number of servers were compromised, including the Citrix servers used by employees to access company systems remotely.  The malware event evolved into an incident once it was determined that around 300 individuals had been affected.  Hartford notified the New Hampshire Attorney General and those who had been impacted about the breach at the beginning of March.  According to ComputerWorld, the victims were mostly Hartford employees and contractors, and under 10 customers.  All were notified that their Hartford passwords had been reset, and were urged to reset passwords for all sites visited while using the company systems during the time of the incident.

How the malware was able to gain access the servers remains undisclosed, however Insurance companies have been targeted by spam and phishing campaigns for many years.  Qakbot itself has been in the wild for about two years, and once installed on a computer, spreads within the network, taking steps to cover its tracks, capturing sensitive data, and opening back doors for hackers to directly access the compromised network.  The company has been working with Symantec to clean up, patch and harden all of its systems, and has offered all affected employees and customers a free two-year subscription to a credit monitoring program.