The FBI has issued a public advisory warning about a rising wave of cyberattacks targeting the airline sector: The notorious hacking group known as Scattered Spider is expanding its focus beyond its previous victims in retail and insurance. These attackers, the agency said, are increasingly using social engineering tactics to manipulate IT help desks to grant unauthorized access to internal systems.
According to the FBI, the hackers often convince help desk staff to bypass multi-factor authentication (MFA) protections by registering rogue MFA devices on compromised accounts. Once inside, the hackers move quickly — stealing data, demanding ransom, and in some cases, deploying ransomware to cripple operations.
Cybersecurity experts say the group’s success is tied to its deep understanding of human behavior within corporate systems. “This group is carrying out serious attacks on our critical infrastructure,” said John Hultquist, chief analyst at Google’s threat intelligence group, in a report by WIRED. “They have identified a major gap in our security systems that they’re successfully taking advantage of.”
Airlines under attack
The warning from the FBI comes as several airlines have reported cyber incidents. In recent weeks, WestJet and Hawaiian Airlines acknowledged breaches. Australian carrier Qantas confirmed a cyberattack, though did not immediately link it to Scattered Spider.
Sam Rubin of Palo Alto Networks’ Unit 42 raised the alarm on LinkedIn, urging aviation firms to be on “high alert” for fake MFA reset requests and impersonation attempts.
Google’s Mandiant added its voice to the concern, as reported by Reuters, stating that it has seen “multiple incidents in the airline and transportation verticals” that resemble Scattered Spider’s approach. “We recommend that the industry immediately take steps to tighten up their help desk identity verification processes,” said Charles Carmakal, chief technology officer at Mandiant.
Must-read security coverage
- UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case
- Blackpoint Cyber vs. Arctic Wolf: Which MDR Solution is Right for You?
- How GitHub Is Securing the Software Supply Chain
- 8 Best Enterprise Password Managers
A fluid, elusive collective
Scattered Spider, which has been linked with aliases including UNC3944, Muddled Libra, and Octo Tempest, has been tracked attacking multiple sectors in waves. Previously, the hackers hit telecom providers, financial services, and retailers, often using similar techniques to gain access, exfiltrate data, and demand ransoms.
A recent ReliaQuest report detailed a breach involving the chief financial officer of an unnamed company. The attackers gathered personal details of the CFO and convinced the IT help desk to reset credentials and MFA devices. With full access, the hackers infiltrated systems including SharePoint, Horizon Virtual Desktop, and VMware, stole sensitive data, and eventually disabled firewalls in a desperate scorched-earth attempt after detection.
Scattered Spider is believed to be part of a broader underground community known as “the Com,” which includes other groups like LAPSUS$. The gang is mostly made up of English-speaking teenagers and young adults, operating from platforms like Discord and Telegram, sharing tactics and “wins” with peers.
“This group evolved in the Discord and Telegram communication platforms, drawing in members from diverse backgrounds and interests,” said Unit 42, Palo Alto Networks’ threat intelligence team.
The loose-knit structure makes the group difficult to dismantle, and their rapid learning curve and collaborative nature only make them more dangerous.
Tips for protecting your organization
Experts agree that defending against Scattered Spider starts with shoring up identity verification procedures, especially at the help desk level.
Google Cloud’s Mandiant team recommends:
- Verifying identities thoroughly before approving any changes to MFA devices or credentials.
- Training IT teams to spot real-world social engineering tactics.
- Segregating identities throughout the infrastructure.
- Reinforcing strong authentication criteria.
Organizations that suspect they’ve been targeted are urged to report incidents early. “Early reporting allows the FBI to engage promptly, share intelligence across the industry, and prevent further compromise,” the Bureau emphasized in its alert.
Read TechRepublic’s guide on how to protect against cyber threats before they hit.