auremar - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Russian threat group suspected of hacking SFO

San Francisco International Airport disclosed a data breach affected employees and third-party contractors, and ESET researchers said a Russian APT was likely behind the attack.

Russian state-sponsored threat actors are suspected to have hacked San Francisco's airport last month.

The San Francisco International Airport (SFO) disclosed a data breach last Tuesday that affected a number of employees and third-party contractors who accessed SFOConnect.com and SFOConstruction.com in March. While SFO did not offer any insight into who hacked the websites, researchers from antimalware vendor ESET this week said the breach appeared to be the work of a Russian APT known as Dragonfly/Energetic Bear.

The attackers utilized "malicious computer code" in order to steal select users' Windows login credentials, according to the SFO's breach notification.

"Users possibly impacted by this attack include those accessing these websites from outside the airport network through Internet Explorer on a Windows-based personal device or a device not maintained by SFO," the breach disclosure notice read.

ESET Research reported on Tuesday that the breach was "in line with the TTPs [tactics, techniques and procedures] of an APT group known as Dragonfly/Energetic Bear," and that "The intent was to collect Windows credentials (username/NTLM hash) of visitors by exploiting an SMB feature and the file:// prefix."

After the malicious code was discovered, both websites were temporarily taken offline and the airport forced a reset of all "SFO related email and network passwords."

SFO did not return SearchSecurity's request for comment.

Dragonfly/Energetic Bear has been active since 2011. Initially the cyberespionage group targeted defense contractors, aviation companies and government agencies. In recent years, security researchers observed the group targeting critical infrastructure in the U.S. In 2017, Symantec reported a "Dragonfly 2.0" campaign was attempting to infiltrate the networks of energy companies.

Dig Deeper on Cyberespionage and nation-state cyberattacks

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close