Two San Francisco Airport (SFO) websites were discovered compromised in March.  The sites were and, contain information on various airport-related topics but enjoy low traffic.  The hackers injected code designed to steal visitor’s Windows login credentials.

The compromise carries the marks of the Russia-based advanced persistent threat (APT) actor tracked as Dragonfly/Energetic Bear.  The intent of this attack was to collect Windows credentials (username/NTLM hash) of visitors by exploiting an SMB feature and the file:// prefix.

Older versions of Internet Explorer will likely fall victim to the credential theft attempts of this malicious software.  Modern browsers are more likely to protect against such attacks.

What to do?

Ensure your anti-virus software and internet browsers are up to date and active.

What can you do to when this happens to you?

Take down the web site effected.  Promptly reset all related email and network passwords.