Security Experts:

Connect with us

Hi, what are you looking for?



Attack on San Francisco Airport Linked to Russian Hackers

The recently disclosed attack aimed at two websites pertaining to the San Francisco International Airport (SFO) is the work of Russian hackers, ESET claims.

The recently disclosed attack aimed at two websites pertaining to the San Francisco International Airport (SFO) is the work of Russian hackers, ESET claims.

In March, two SFO websites were found to have been compromised by hackers and injected with code designed to steal visitors’ Windows login credentials. The websites, and, contain information on various airport-related topics but enjoy low traffic.

The code discovered on the websites, SFO revealed, was targeting only those visiting from outside the airport network, via Internet Explorer from Windows-based machines.

To contain the attack, SFO took down the websites and also prompted a reset of all SFO-related email and network passwords on March 23.

Some researchers noted at the time that the attack resembled that of a Magecart group, which usually injects malicious code into ecommerce websites to steal users’ credit card data.

However, ESET’s security researchers took it to Twitter to point out that the attack was targeting Windows credentials and that it should not be linked to Magecart stealers.

“Contrary to what several people reported, #ESETresearch assesses that this attack has no link with any Magecart credential stealer. The targeted information was NOT the visitor’s credentials to the compromised websites, but rather the visitor’s own Windows credentials,” ESET noted.

The security firm also pointed out that the compromise carries the marks of the Russia-based advanced persistent threat (APT) actor tracked as Dragonfly.

Also known as Crouching Yeti and Energetic Bear, the threat actor has been active since at least 2010, mainly targeting the energy sector in the United States and Europe.

“The recently reported breach of #SFO airport websites is in line with the TTPs of an APT group known as Dragonfly/Energetic Bear. The intent was to collect Windows credentials (username/NTLM hash) of visitors by exploiting an SMB feature and the file:// prefix,” ESET said.

The code would employ the file:// path to load an image from a remote server, causing Internet Explorer to load the image using the SMB (Server Message Block) protocol, which results in the victim’s Windows credentials (username and hashed password) being sent to the remote server.

Modern browsers are likely protected from such attacks, but older versions of Internet Explorer will likely fall victim to the credential theft attempt.

ESET security researcher Matthieu Faou noted in a tweet on April 14 that SFO was informed of Dragonfly’s attack in March, and that the issue was addressed immediately after that.

Related: San Francisco International Airport Discloses Data Breach

Related: Russian Cyberspies Hacked Routers in Energy Sector Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.