The FBI has issued a public advisory regarding an increase in cyberattacks targeting the airline sector, with the hacking group Scattered Spider utilizing social engineering to manipulate IT help desks for unauthorized system access.
According to the FBI, Scattered Spider frequently convinces help desk personnel to bypass multi-factor authentication (MFA) protections by registering unauthorized MFA devices on compromised accounts. Once access is gained, the hackers proceed to steal data, demand ransom payments, and in some instances, deploy ransomware to incapacitate operations. Cybersecurity experts attribute the group’s success to its detailed understanding of human behavior within corporate systems. John Hultquist, chief analyst at Google’s threat intelligence group, stated in a WIRED report, “This group is carrying out serious attacks on our critical infrastructure. They have identified a major gap in our security systems that they’re successfully taking advantage of.”
This FBI warning follows multiple cyber incidents reported by airlines. Recently, WestJet and Hawaiian Airlines disclosed breaches. Australian carrier Qantas also confirmed a cyberattack, though a direct link to Scattered Spider was not immediately established. Sam Rubin of Palo Alto Networks’ Unit 42 advised aviation firms on LinkedIn to maintain “high alert” for fraudulent MFA reset requests and impersonation attempts. Google’s Mandiant, as reported by Reuters, has observed “multiple incidents in the airline and transportation verticals” that exhibit similarities to Scattered Spider’s methodology. Charles Carmakal, chief technology officer at Mandiant, recommended that the industry “immediately take steps to tighten up their help desk identity verification processes.”
Law enforcement faces challenges with iPhones’ automatic rebooting
Scattered Spider, also known by aliases including UNC3944, Muddled Libra, and Octo Tempest, has previously attacked multiple sectors. The group has targeted telecom providers, financial services, and retailers, often employing consistent techniques to gain access, exfiltrate data, and demand ransoms. A recent ReliaQuest report detailed a breach involving the chief financial officer of an unnamed company where attackers gathered personal details of the CFO and then manipulated the IT help desk into resetting credentials and MFA devices. With full access, the hackers infiltrated systems including SharePoint, Horizon Virtual Desktop, and VMware, exfiltrated sensitive data, and subsequently disabled firewalls after detection.
Scattered Spider is considered part of a broader underground community referred to as “the Com,” which includes groups such as LAPSUS$. The collective is primarily composed of English-speaking teenagers and young adults who operate from platforms like Discord and Telegram, using these channels to share tactics and successes with peers. Unit 42, Palo Alto Networks’ threat intelligence team, noted, “This group evolved in the Discord and Telegram communication platforms, drawing in members from diverse backgrounds and interests.” The group’s decentralized structure complicates efforts to dismantle it, and its rapid learning curve combined with its collaborative nature contributes to its increased threat level.
Organizations suspecting a targeting incident are encouraged to report it promptly. The FBI emphasized in its alert that “Early reporting allows the FBI to engage promptly, share intelligence across the industry, and prevent further compromise.”
