

Home Depot announced earlier this week that it had been the victim of a data breach. (Reuters/Jim Young)

Security researchers say they've uncovered links to commentary that accuses the United States of fomenting unrest around the world in the code of the malware believed to have been used in a string of data breaches at U.S. retail stores over the past year, including a potentially massive breach at Home Depot.

One of the linked images that cybersecurity firm Trend Micro discovered among the latest versions of the BlackPOS malware shows a matchbox with the American flag on it next to Molotov cocktails emblazoned with the flags of Syria, Libya, Egypt and Ukraine. Krebs on Security's Brian Krebs, who first broke the Home Depot breach story, has reported that BlackPOS infected at least some of the registers involved in the Home Depot hack.

But experts say those links don't necessarily mean that ideology was the driving force behind the hacks. Instead, the key motivator was likely cold, hard cash.

When hackers focus on sneaking into systems for financial data, "there's an eye towards financial gain," explains Carnegie Mellon professor Nicolas Christin. And in the retail breaches, hackers appear to have hidden out in retail systems for weeks or sometimes even months, quietly exporting payment card information that eventually made its way onto sites that sell breached data.

The criminal enterprises created around the supply chain for stolen financial information are incredibly businesslike, says Tom Kellermann, the chief cybersecurity officer at cybersecurity firm Trend Micro. And they're almost entirely controlled by a cartel-like structure that organizes around Russian-language online forums that serve as marketplaces for stolen information.

"There are less than a couple hundred people who are involved in the most significant attacks, and [they're] almost all Russian-speaking," he says. "There's a tremendous amount of organizational and hierarchical structure with a robust economy of scale that delivers both data mining, carding [credit card sale dumps] and other services which exists as quasi-untouchables in a way almost unheard of since Al Capone and his gangs in the 1920s."

Within that system, as in other market economies, specialization is rewarded, says Art Gilliland, senior vice president and general manager of Enterprise Security Products at Hewlett Packard. It's possible, he says, that the author of the code that links to anti-American messages holds those specific beliefs. But the larger organization deploying the code against retailers might not even know that the messages existed in the code.

But Kellermann says there is a growing amount of nationalism and patriotism seen in attacks for various historical and cybercrime-related reasons -- including that U.S. law enforcement has paid greater attention to these groups in recent years. And there have been instances when political ideologies appear to have motivated cyberattacks, with conflicts moving from the physical realm to the digital.

In 2013, a series of Distributed Denial of Service attacks, which can knock sites or services offline, targeting U.S. financial institutions were reportedly attributed to Iranian hackers by U.S. officials, while cyberattacks against Georgia during the 2008 Russo-Georgian war have been widely attributed to civilian pro-Russian hackers.

But those types of attacks focused more on disruption of services than the theft of financial information, says Christin. In the case of the Georgian attacks, Kellermann says, the perpetrators are believed to have been a group of prolific cybercriminals who acted patriotically on behalf of the regime as an homage -- "a showing of their worth as a national asset to national leadership, rather than on direct orders."

That may not be what's behind the attacks on retailers, according to experts. "Most targeting retailers appear to be in it for their own personal financial gain, not some form of financial cyberterrorism," Kellermann says.

"I don’t personally draw a strong line between nationalism and financially motivated cybercrime," agrees Trey Ford, a global security strategist at cybersecurity firm Rapid7. But like any other industry, he says, the professionals who work in it are going to have certain sentiments -- some of which may bleed into their work or their communications.

"At the end of the day, crime is a business," Ford says. "Based on where they are geographically they are going to have different values that are referenced in some of their notes. But you take your business wherever you can conduct it with the lowest cost and highest profits."

There are a few reasons why U.S. retailers could look like juicy targets to cyberscriminals. The stores tend to process a huge number of transactions, typically using magnetic strip credit cards that are less secure than the pin and chip models used in other parts of the world. Although with the current delay in disclosures, Ford says it's possible that these types of point-of-sale attacks are occurring elsewhere in the world but just haven't been uncovered yet.

Have more to say on this subject? Join us today for our weekly live chat, Switchback. We'll kick things off at 11 a.m. Eastern. You can submit your questions now, right here.