Russian threat group suspected of hacking SFO

Russian state-sponsored threat actors are suspected to have hacked San Francisco's airport last month.

The San Francisco International Airport (SFO) disclosed a data breach last Tuesday that affected a number of employees and third-party contractors who accessed SFOConnect.com and SFOConstruction.com in March. While SFO did not offer any insight into who hacked the websites, researchers from antimalware vendor ESET this week said the breach appeared to be the work of a Russian APT known as Dragonfly/Energetic Bear.

The attackers utilized "malicious computer code" in order to steal select users' Windows login credentials, according to the SFO's breach notification.

"Users possibly impacted by this attack include those accessing these websites from outside the airport network through Internet Explorer on a Windows-based personal device or a device not maintained by SFO," the breach disclosure notice read.

ESET Research reported on Tuesday that the breach was "in line with the TTPs [tactics, techniques and procedures] of an APT group known as Dragonfly/Energetic Bear," and that "The intent was to collect Windows credentials (username/NTLM hash) of visitors by exploiting an SMB feature and the file:// prefix."

After the malicious code was discovered, both websites were temporarily taken offline and the airport forced a reset of all "SFO related email and network passwords."

SFO did not return SearchSecurity's request for comment.

Dragonfly/Energetic Bear has been active since 2011. Initially the cyberespionage group targeted defense contractors, aviation companies and government agencies. In recent years, security researchers observed the group targeting critical infrastructure in the U.S. In 2017, Symantec reported a "Dragonfly 2.0" campaign was attempting to infiltrate the networks of energy companies.