Here's an update from Krebs with some insight into the HVAC vendor: http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/
Spoiler: they weren't using real-time antivirus. There's more humor in the update, like using AD credentials possibly being the reason for the two networks to be connected, Target making it easy to target (HA) vendors by having some of their data public on the internet...