San Francisco International Airport

San Francisco International Airport, commonly referred to as SFO, operates as a major aviation hub. Its digital presence includes dedicated online platforms such as SFOConnect.com and SFOConstruction.com, serving employees, contractors, and potentially aspects of facility development. These websites represent critical internal infrastructure for managing airport operations and personnel. The airport's primary function involves facilitating commercial air travel, encompassing passenger services, cargo handling, and supporting airline operations within its facilities.

In March 2020, SFO experienced a significant cybersecurity incident targeting its SFOConnect.com and SFOConstruction.com websites. Russian state-sponsored threat actors, identified as Energetic Bear, deployed malicious code exploiting an Internet Explorer vulnerability. This attack specifically aimed to harvest Windows login credentials from visitors by capturing NTLM hashes. The attackers employed tactics like abusing SMB features and file:// prefixes, indicative of attempts to enable lateral movement within the network for potential reconnaissance or sabotage objectives. While the breach compromised credentials accessed via these specific websites, no evidence indicated broader network compromise beyond this initial vector. SFO responded by resetting all employee passwords and advising affected users to change their Windows credentials to mitigate the risk. This incident highlighted the airport as a target for sophisticated adversaries expanding beyond their traditional energy sector focus.