In March 2020, two websites linked with the San Francisco International Airport (SFO) had been compromised and malicious code injected into them designed to steal Windows login credentials. The two websites that were compromised were SFOConnect.com and SFOConstruction.com, which contain information about various topics associated with the airport but have low traffic generation. According to a new analysis, there appears to be a strong link between a known Russian advanced persistent threat (APT) group and the incident.
Details of the attack were made public by airport authorities via a memorandum published on April 7, 2020. Details are sparse about the attack itself. The airport authority did specify that the affected websites were taken offline and passwords reset on March 23. In a series of interviews conducted with Security Week a couple of security experts shared their views on the topic. Ameet Naik of PerimeterX said,
“This is a clear example of a Magecart-style attack. This data was stolen directly from the users’ browsers even before it reached SFO systems. Since this happened on the users’ devices, the website administrators would have had no visibility into it. This is what makes Magecart attacks so prevalent and hard to detect,”
Included in the article were comments made by James McQuiggan, security awareness advocate at KnowBe4, who stated,
“Attackers know that people tend to reuse passwords across different websites and take credentials collected from other sites, then try to use them to log into more valuable websites, such as banks. It is vital to ensure that people are taught about the dangers of reusing passwords across multiple websites and that people enable multi-factor authentication, such as a text message with a code or a code generated from an app on a smart phone, wherever possible,”
Following a week’s worth of silence on the matter security firm ESET to share their thoughts on the matter. These differ considerably from those who suggested that the attack was a MageCart-styled attack.
MageCart attacks involve hackers injecting malicious code into webpages, normally shopping cart pages of eCommerce platforms, which steal entered card details. ESET security researcher’s shared their thoughts via Twitter. One such post stated,
“Contrary to what several people reported, #ESETresearch assesses that this attack has no link with any Magecart credential stealer. The targeted information was NOT the visitor's credentials to the compromised websites, but rather the visitor's own Windows credentials,”
Interestingly, the firm followed up with another tweet stating,
“The recently reported breach of #SFO airport websites is in line with the TTPs of an APT group known as Dragonfly/Energetic Bear. The intent was to collect Windows credentials (username/NTLM hash) of visitors by exploiting an SMB feature and the file:// prefix,”
The code mentioned in the above tweet would employ the file:// path to load an image from a remote server, causing Internet Explorer to load the image using the SMB (Server Message Block) protocol, which results in the victim’s Windows credentials (username and hashed password) being sent to the remote server. If the potential victim was using a modern browser, such as Chrome, Firefox, or Safari then no sending of Windows credentials would occur. However, if the victim used an older version of Internet Explorer their credentials could have indeed have been stolen. ESET believes that the attack has all the hallmarks of Dragonfly, an infamous APT group linked to Russia. The group goes by a number of other names including Crouching Yeti and Energetic Bear. This publication has previously tracked the group’s activities as Energetic Bear and will refer to the group as such to avoid confusion.
The group is believed to have started operations in either 2010 or 2011 and initially began targeting companies in the aviation sector but shifted operations in 2013 to go after targets in the energy sector. That being said the group is suspected of targeting companies in the industrial, pharmaceutical, and construction sectors along with targets within the energy sector. One of the last well-known incidents involving Energetic Bear was in 2018 which prompted the US Department of Homeland Security to issue an alert warning industries that they may be targeted and what they should expect to see if compromised. In the alert, one of the APT group’s favored tactics was illuminated upon. That favored tactic being watering hole attacks. It was noted in the alert that,
The group’s use of such tactics was further detailed in a Kaspersky report detailing the group’s attack on servers. In that instance, the campaign was global and not limited to the group’s traditional targets be that aviation or in the energy sector. Compromised servers were found belonging to political parties, hotel chains, charities, as well as web servers hosting multiple domains. This prompted Kaspersky to publish an incredibly detailed report tracking the group’s actions to command and control servers in Russia. Many of the group’s tactics were revealed, including the use of publicly available tools and the use of watering hole attacks. At the time the report was released, around the same time as the Department of Homeland Security alert, the group appeared to be the only APT making use of the LightsOut exploit kit for malware distribution via watering hole attacks.
Energetic Bear or MageCart
It has been repeatedly said, in this publication, as well as others, that attributing attacks is one of the most difficult tasks faced by security researchers. In attempting to answer whether Energetic Bear or MageCart hackers were behind the cyberattack on SFO’s websites both present compelling cases. MageCart attacks have seen a growth in popularity since 2019 and use similar tactics in compromising websites as watering hole attacks. In a watering hole attack, an attacker looks to compromise a specific group of end-users by infecting websites that members of the group are known to visit. Traditionally the goal is to infect a targeted user's computer and gain access to the network at the target's place of employment. Historically, they have tended to focus on compromising a popular website so as to install backdoors on any number of visitors to the site. This is done by exploiting certain vulnerabilities on visitor’s machines.
The SFO websites do not appear to be eCommerce sites, but rather deliver information as well as facilitate employee actions. The vast majority of MageCart attacks are financial in nature. They aim to steal credit card details to be either sold on the Dark Web or used to buy items fraudulently. Compromising the SFO websites which see low traffic and little in the way of users entering the card details seems to be of little benefit to the MageCart attacker. This does not rule out the compromise may have been accidental. In this case, however, the writer would have to agree with ESET’s assertion that the attack formed part of an APT campaign.
If the attack is viewed as a watering hole attack the attack itself does make more sense with the attacker being able to derive more benefit from the attack. Being able to steal Windows login credentials of the airport's staff could be a vital step in the further compromise of the airport’s network. Energetic Bear started out primarily targeting companies in the aviation sector and while a lot of their focus in recent years has been on the energy sector they have proven capable of going after other targets other than their favored ones. This attack may be an indicator that the group has once again placed the aviation sector in its crosshairs. Given the current economic difficulties faced by the sector during the COVID-19 pandemic, it may be easier now to compromise companies operating within it.