The FBI and major cybersecurity firms are warning that Scattered Spider, a well-known hacking group, is now targeting the airline and transportation sectors.
FBI said it had recently observed activity consistent with Scattered Spider attacks aimed at the airline industry. Security analysts from Google’s Mandiant and Palo Alto Networks’ Unit 42 confirmed similar observations.
Scattered Spider is composed mainly of English-speaking individuals—often teenagers or young adults—motivated by financial gain.
Their tactics include phishing, social engineering, and direct threats to company staff to gain internal access. In several cases, the group has deployed ransomware after breaching networks.
In a statement shared with TechCrunch, the FBI noted that the group often goes after large corporations as well as their third-party IT providers. This places not only airlines but also vendors and contractors within the sector at risk.
At least two airlines have reported security incidents this month.
- Hawaiian Airlines disclosed Thursday that it is working to secure its systems following a cyberattack.
- WestJet, Canada’s second-largest airline, confirmed an ongoing breach first reported on June 13. Several media outlets have linked the WestJet incident to Scattered Spider.
This recent activity follows a string of attacks by the same group on U.K. retailers and the insurance sector. In the past, Scattered Spider has breached hotel chains, casinos, and major tech firms.
Security officials are urging aviation companies to review their defenses and remain alert to evolving threats.
Scattered Spider, also referred to as UNC3944, is a hacking group mostly made up of teens and young adults believed to live in the United States and the United Kingdom.
The group gained notoriety for their involvement in the hacking and extortion of Caesars Entertainment and MGM Resorts International, two of the largest casino and gambling companies in the United States.
Scattered Spider has also targeted Visa, Marks & Spencer, PNC Financial Services Group Inc., Transamerica, New York Life Insurance Co., Synchrony Financial, Truist Bank, and Twilio.
Members of Scattered Spider have been connected with the hacks against Snowflake cloud storage customers in the US. More recently, members of Scattered Spider have been connected with the hacks against Qantas, the flag carrier of Australia.
The group’s most common name as used in press releases and by journalists is Scattered Spider, though many other names have been attributed to the group. Star Fraud, Octo Tempest, Scatter Swine, and Muddled Libra have all been names used to refer to the group previously.
Scattered Spider is a component of a larger global hacking community, known as “the Community” or “the Com”, itself having members who have hacked major American technology companies.
Scattered Spider is believed to have been founded in May 2022, when the group was focused on attacks on telecommunications firms. The group utilized SIM swap scams, multi-factor authentication fatigue attacks, and phishing by SMS and Telegram.
The group typically exploited the security bug CVE-2015-2291, a cybersecurity issue in Windows’ anti-DoS software, to terminate security software, allowing the group to evade detection.
The group is believed to have a deep understanding of Microsoft Azure, the ability to conduct reconnaissance in cloud computing platforms powered by Google Workspace and AWS, and utilizes legitimately-developed remote-access tools.
