The FBI has recently identified the cybercriminal group known as Scattered Spider as responsible for a series of cyberattacks targeting airlines in the United States and Canada during June 2025.
This group, composed of young hackers, is notorious for its aggressive tactics aimed at extorting or embarrassing its victims. The attacks come at a particularly sensitive time for the travel industry, which has already been under pressure because of one of the major business sectors being affected by cybercrime in recent months, following similar incidents in the insurance and retail sectors.
According to the FBI, Scattered Spider does not limit its focus to airlines alone but also targets their IT contractors, meaning that any entity within the airline ecosystem, including trusted vendors, could be vulnerable.
Once they gain access to a network, the hackers typically steal sensitive data for extortion and often deploy ransomware. The FBI has stated that it is actively collaborating with aviation industry partners to address the threat and support affected organizations.
Notably, Hawaiian Airlines and Canada's WestJet have both confirmed that they are assessing the impact of recent cyberattacks, though neither airline publicly named Scattered Spider as the perpetrator. Despite these breaches, both airlines reported that their operations and flight safety remained unaffected.
The group is known for using social engineering techniques, such as impersonating employees or contractors to deceive IT help desks and bypass security measures like multi-factor authentication.
Scattered Spider's previous high-profile attacks include multi-million-dollar hacks on major Las Vegas casinos in 2023, and they are known for focusing on one sector at a time for sustained periods. Industry experts and authorities warn that more victims within the aviation sector may yet come forward as investigations continue.
Source: https://economictimes.indiatimes.com/news/international/us/cybercriminal-group-scattered-spider-targets-us-and-canadian-airlines-in-flurry-of-cyberattacks/articleshow/122138215.cms?from=mdr
Commentary
One of Scattered Spider's methods is to "impersonate employees or contractors" to deceive IT help desks and bypass security measures like multi-factor authentication". This is considered a sophisticated form of social engineering because it requires voice-to-voice interaction.
For example, an attacker might call a company's IT help desk, pretend to be a legitimate employee who has lost access to their account, and request that a new phone number or device be added to the account's MFA settings. If the help desk does not rigorously verify the caller's identity, they may comply, inadvertently giving the attacker the ability to reset passwords or approve login attempts, thus bypassing MFA protections. This tactic has been observed in recent attacks on airlines and other sectors, where attackers used such methods to gain initial access, steal sensitive data, and sometimes deploy ransomware.
Organizations can mitigate these risks by strengthening their help desk identity verification processes. This includes requiring multiple forms of verification before making changes to MFA settings or account recovery information, training staff to recognize and escalate suspicious requests, and monitoring for unusual MFA reset activity.
Security experts also recommend implementing technical controls such as restricting the ability to add new MFA devices without in-person or secondary approval, using phishing-resistant MFA methods, and regularly reviewing access logs for signs of compromise.
Proactive threat intelligence, such as monitoring for phishing domains that mimic company login portals, can also help detect and block attacks before they succeed.
Additional Sources: https://industrialcyber.co/transport/fbi-raises-alarm-over-scattered-spider-targeting-airline-sector-with-social-engineering-schemes/; https://www.infosecurity-magazine.com/news/scattered-spider-phishing-domains/; https://www.darkreading.com/cyberattacks-data-breaches/scattered-spider-hacking-spree-airline-sector; https://x.com/FBI/status/1938746767031574565
