A hacking collective known as Scattered Spider has recently expanded its focus toward North American airlines. The FBI and CISA have issued alerts linking the group to cyber incidents affecting internal systems and customer-facing services at multiple airlines. This activity reflects a pattern of shifting targets, moving from retail to insurance, and now to aviation and transportation.
In 2023, Scattered Spider gained notoriety for a series of cyberattacks against major Las Vegas casino operators. By exploiting help desk procedures and identity-based systems, they were able to infiltrate internal networks, disrupt operations, and demand ransom payments. One company was forced to shut down its systems for several days, while another reportedly paid a large sum to restore access and prevent further data exposure. These incidents underscored the group’s effectiveness in using social engineering to bypass multifactor authentication and gain unauthorized access.
Despite their coordinated tactics, Scattered Spider is not a single, centralized organization. Instead, it is a loosely connected network of cybercriminals who share tools, strategies, and communication channels. Members often operate independently but draw from common playbooks and collaborate informally through online forums and messaging platforms. This decentralized structure makes the group difficult to track and disrupt.
Recent incidents involving airlines follow similar patterns. In June, Canada’s second-largest airline experienced a cybersecurity breach that affected internal systems and mobile app functionality. Around the same time, a U.S.-based airline reported account access issues for some customers, prompting a reset of login credentials. Another carrier temporarily locked customer accounts over potential security concerns. While the airlines did not publicly confirm the source of the breaches, the FBI and CISA have warned that these events are consistent with Scattered Spider’s known tactics.
It is important to note that the cyberattacks have not compromised the safety of in-flight aircraft. The systems targeted are related to information technology and customer data, not navigation or flight control. The focus of these attacks remains on gaining access to sensitive information and using it for financial gain through extortion or data theft.
Scattered Spider’s methods typically involve impersonating employees or contractors to manipulate IT help desks. They often exploit self-service password reset tools and register their own devices for multifactor authentication, allowing them to bypass standard security measures. These tactics were used in both the casino breaches and the more recent airline incidents.
The FBI and CISA have urged companies in the aviation industry, as well as their third-party vendors, to strengthen internal protocols. This includes enhancing identity verification procedures, restricting changes to MFA settings, and securing help desk operations. Their guidance emphasizes the need for complete visibility across identity and access management systems.
Although the threat from Scattered Spider is evolving, it remains focused on data access rather than physical disruption. Understanding the loose structure of these threat actors and the techniques they use is essential for developing effective defenses. By addressing the weaknesses commonly exploited in these attacks, organizations can better protect themselves against this type of persistent cyber threat.
—By Greg Collier
Discover more from The Broad Lens
Subscribe to get the latest posts sent to your email.
