{ "id": "86cb4191-1a0f-4f3c-b6b6-51ab1b2be58f", "created_at": "2026-04-06T01:30:44.281541Z", "updated_at": "2026-04-10T13:12:23.259962Z", "deleted_at": null, "sha1_hash": "195d82e804434676708a51353dbe24d2729cae95", "title": "Russian state hackers behind San Francisco airport hack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46001, "plain_text": "Russian state hackers behind San Francisco airport hack\r\nBy Catalin Cimpanu\r\nPublished: 2020-04-14 · Archived: 2026-04-06 00:41:44 UTC\r\nHackers believed to be operating on behalf of the Russian government have hacked two websites operated by the\r\nSan Francisco International Airport, cyber-security firm ESET said today.\r\nThe hacks took place last month, in March, according to a data breach notification [PDF] posted on the airport's\r\nwebsite.\r\nThe attacks targeted SFOConnect.com, a website used by airport employees, and SFOConstruction.com, a portal\r\nused by airport construction contractors.\r\nAccording to San Francisco airport officials, hackers breached both websites and planted code that exploited an\r\nInternet Explorer bug to steal login credentials.\r\nBut in a series of tweets today, ESET said that \"the targeted information was NOT the visitor's credentials to the\r\ncompromised websites, but rather the visitor's own Windows credentials.\"\r\n\"The intent was to collect Windows credentials (username/NTLM hash) of visitors by exploiting an SMB feature\r\nand the file:// prefix,\" the ESET research team said.\r\nNTLM hashes can be cracked to obtain a cleartext version of a user's Windows password. If the hackers had\r\naccess to the airport's internal network, they could have used credentials obtained from airport employees to\r\nspread laterally through the airport's internal network to conduct reconnaissance, data theft, or sabotage.\r\nESET links hack to Energetic Bear\r\nESET said the attack was carried out by a threat actor known as Energetic Bear (also known as DragonFly). The\r\ngroup has been active since 2010 and is believed to be operating on behalf of the Russian government.\r\nThe group is one of Russia's most active state-sponsored entities. Over the past decade, Energetic Bear hackers\r\nhave been behind a widespread hacking campaign that targeted organizations all over the world.\r\nThe group's primary targets have been organizations in the energy sector -- hence its name of Energetic Bear --\r\nprimarily those located in the Middle East, Turkey, and the US.\r\nHowever, Energetic Bear has also recently began targeting other types of organizations as well, including\r\ncompanies in the aerospace and the aviation sector, according to a report published by Kaspersky in April 2018,\r\nand an alert sent at the time by the US Department of Homeland Security.\r\nIn fact, the same Kaspersky report details a series of watering hole attacks carried out by Energetic Bear that used\r\nthe same \"file:// prefix\" trick to obtain NTLM hashes from users visiting a compromised website.\r\nhttps://www.zdnet.com/article/russian-state-hackers-behind-san-francisco-airport-hack/\r\nPage 1 of 2\n\nThe recently reported breach of #SFO airport websites is in line with the TTPs of an APT\r\ngroup known as Dragonfly/Energetic Bear. The intent was to collect Windows credentials\r\n(username/NTLM hash) of visitors by exploiting an SMB feature and the file:// prefix\r\n#ESETresearch 1/2 pic.twitter.com/pDZMdb49lb\r\n— ESET research (@ESETresearch) April 14, 2020\r\n\"This technique has been used for years by Energetic Bear/DragonFly,\" Matthieu Faou, malware researcher at\r\nESET, told ZDNet in an interview today.\r\nWe also asked Faou to expand on the company's tweets and inquired if this hack is part of a new campaign aimed\r\nat the US aviation sector.\r\n\"We don't have any information about the compromise of another airport website,\" Faou told us. \"According to\r\nESET telemetry, the other websites that were recently compromised are mainly media websites in Eastern\r\nEurope.\"\r\nSan Francisco airport reset all employee passwords\r\nFaou said that when they detected the technique being used in the wild again, they \"reported it immediately to the\r\nSFO airport team\" who \"quickly removed the malicious piece of code from their website.\"\r\nAirport officials than followed through by forcing password resets for \"all SFO related email and network\r\npasswords on Monday, March 23, 2020.\"\r\nThe password reset is enough to prevent hackers from using the stolen NTLM hashes for any future intrusions.\r\nHowever, the two websites were also used by other users who were not airport employees. Through its public\r\nsecurity breach announcement, the San Francisco airport is now urging users who recently visited the site to take\r\nsimilar actions and reset their Windows passwords.\r\nSource: https://www.zdnet.com/article/russian-state-hackers-behind-san-francisco-airport-hack/\r\nhttps://www.zdnet.com/article/russian-state-hackers-behind-san-francisco-airport-hack/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.zdnet.com/article/russian-state-hackers-behind-san-francisco-airport-hack/" ], "report_names": [ "russian-state-hackers-behind-san-francisco-airport-hack" ], "threat_actors": [ { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775439044, "ts_updated_at": 1775826743, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/195d82e804434676708a51353dbe24d2729cae95.pdf", "text": "https://archive.orkl.eu/195d82e804434676708a51353dbe24d2729cae95.txt", "img": "https://archive.orkl.eu/195d82e804434676708a51353dbe24d2729cae95.jpg" } }