A security firm has begun to unravel exactly who was behind the massive security breach at Target that resulted in the credit card information of 110 million customers being stolen, and at the root is an "off the shelf" malware program written by a 17-year-old Russian.

According to IntelCrawler, a Los Angeles cyberintelligence company, an "inexpensive" malware program called BlackPOS written by a Russian teen is what was used in the attack that compromised Target, as well as possibly Neiman Marcus.

It is not believed that the teenager orchestrated the attacks, but simply that he wrote and sold the script that made it possible. Per IntelCrawler, the program was purchased by at least 40 cybercriminals, primarily in Eastern Europe. Earlier this week, Wired reported that the original BlackPOS coding was strengthened so that it would not be detected by antivirus programs.

The security firm also claims that the teenager is well-known in the hacking underground, and that his program was not exactly advanced. That said, the post-purchase altering may have been significant: according to Wired, another firm called iSight noted that "while some components of the breach operation were technically sophisticated, the operational sophistication of the compromise activity makes this case stand out."

IntelCrawler was harsher, saying that "it seems that retailers still use quite easy passwords on most remote-access" servers. If you're shocked that Target was lax with its security, don't be: they have profits to worry about.

[photo via IntelCrawler]