The recently disclosed attack aimed at two websites pertaining to the San Francisco International Airport (SFO) is the work of Russian hackers, ESET claims.
In March, two SFO websites were found to have been compromised by hackers and injected with code designed to steal visitors’ Windows login credentials. The websites, SFOConnect.com and SFOConstruction.com, contain information on various airport-related topics but enjoy low traffic.
The code discovered on the websites, SFO revealed, was targeting only those visiting from outside the airport network, via Internet Explorer from Windows-based machines.
To contain the attack, SFO took down the websites and also prompted a reset of all SFO-related email and network passwords on March 23.
Some researchers noted at the time that the attack resembled that of a Magecart group, which usually injects malicious code into ecommerce websites to steal users’ credit card data.
However, ESET’s security researchers took it to Twitter to point out that the attack was targeting Windows credentials and that it should not be linked to Magecart stealers.
“Contrary to what several people reported, #ESETresearch assesses that this attack has no link with any Magecart credential stealer. The targeted information was NOT the visitor’s credentials to the compromised websites, but rather the visitor’s own Windows credentials,” ESET noted.
The security firm also pointed out that the compromise carries the marks of the Russia-based advanced persistent threat (APT) actor tracked as Dragonfly.
Also known as Crouching Yeti and Energetic Bear, the threat actor has been active since at least 2010, mainly targeting the energy sector in the United States and Europe.
“The recently reported breach of #SFO airport websites is in line with the TTPs of an APT group known as Dragonfly/Energetic Bear. The intent was to collect Windows credentials (username/NTLM hash) of visitors by exploiting an SMB feature and the file:// prefix,” ESET said.
The code would employ the file:// path to load an image from a remote server, causing Internet Explorer to load the image using the SMB (Server Message Block) protocol, which results in the victim’s Windows credentials (username and hashed password) being sent to the remote server.
Modern browsers are likely protected from such attacks, but older versions of Internet Explorer will likely fall victim to the credential theft attempt.
ESET security researcher Matthieu Faou noted in a tweet on April 14 that SFO was informed of Dragonfly’s attack in March, and that the issue was addressed immediately after that.