Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Attack on San Francisco Airport Linked to Russian Hackers

The recently disclosed attack aimed at two websites pertaining to the San Francisco International Airport (SFO) is the work of Russian hackers, ESET claims.

The recently disclosed attack aimed at two websites pertaining to the San Francisco International Airport (SFO) is the work of Russian hackers, ESET claims.

In March, two SFO websites were found to have been compromised by hackers and injected with code designed to steal visitors’ Windows login credentials. The websites, SFOConnect.com and SFOConstruction.com, contain information on various airport-related topics but enjoy low traffic.

The code discovered on the websites, SFO revealed, was targeting only those visiting from outside the airport network, via Internet Explorer from Windows-based machines.

To contain the attack, SFO took down the websites and also prompted a reset of all SFO-related email and network passwords on March 23.

Some researchers noted at the time that the attack resembled that of a Magecart group, which usually injects malicious code into ecommerce websites to steal users’ credit card data.

However, ESET’s security researchers took it to Twitter to point out that the attack was targeting Windows credentials and that it should not be linked to Magecart stealers.

“Contrary to what several people reported, #ESETresearch assesses that this attack has no link with any Magecart credential stealer. The targeted information was NOT the visitor’s credentials to the compromised websites, but rather the visitor’s own Windows credentials,” ESET noted.

The security firm also pointed out that the compromise carries the marks of the Russia-based advanced persistent threat (APT) actor tracked as Dragonfly.

Advertisement. Scroll to continue reading.

Also known as Crouching Yeti and Energetic Bear, the threat actor has been active since at least 2010, mainly targeting the energy sector in the United States and Europe.

“The recently reported breach of #SFO airport websites is in line with the TTPs of an APT group known as Dragonfly/Energetic Bear. The intent was to collect Windows credentials (username/NTLM hash) of visitors by exploiting an SMB feature and the file:// prefix,” ESET said.

The code would employ the file:// path to load an image from a remote server, causing Internet Explorer to load the image using the SMB (Server Message Block) protocol, which results in the victim’s Windows credentials (username and hashed password) being sent to the remote server.

Modern browsers are likely protected from such attacks, but older versions of Internet Explorer will likely fall victim to the credential theft attempt.

ESET security researcher Matthieu Faou noted in a tweet on April 14 that SFO was informed of Dragonfly’s attack in March, and that the issue was addressed immediately after that.

Related: San Francisco International Airport Discloses Data Breach

Related: Russian Cyberspies Hacked Routers in Energy Sector Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...