The notorious cybercriminal group known as Scattered Spider, also identified as UNC3944 or Muddled Libra, has reportedly initiated a fresh wave of attacks targeting the global aviation sector. Cybersecurity firms, including Google’s Mandiant and Palo Alto Networks’ Unit 42, have issued urgent warnings, highlighting a significant shift in the group’s focus from previously targeted industries like retail and insurance.
The new campaign has already seen major airlines affected, with Hawaiian Airlines and Canada’s WestJet recently disclosing cyber incidents. While neither airline has officially attributed the attacks to Scattered Spider, cybersecurity experts note that the tactics, techniques, and procedures (TTPs) employed bear the hallmarks of the sophisticated threat group. Hawaiian Airlines reported a cybersecurity incident on June 23, affecting some of its IT systems, though operations and flights remained safe. Similarly, WestJet experienced intermittent disruptions to its website and mobile application earlier this month.
Scattered Spider is particularly known for its prowess in social engineering. The group frequently manipulates individuals, often impersonating employees or contractors, to trick IT help desks into granting unauthorized access to systems or resetting multi-factor authentication (MFA) credentials. This method allows them to bypass robust technical defenses, exploiting the “human element” in cybersecurity. Experts warn that the aviation industry’s reliance on real-time operations and the criticality of its systems make it a highly attractive target for such attacks, which could lead to severe disruptions, data theft, and even impact passenger safety.
The FBI has also weighed in, stating they are actively working with aviation and industry partners to address this escalating threat. The bureau emphasized that any entity within the airline ecosystem, including trusted vendors and contractors, could be at risk. Once inside a network, Scattered Spider aims to exfiltrate sensitive data for extortion and often deploys ransomware, a tactic that caused significant disruptions to companies like MGM Resorts and Caesars Entertainment in 2023.
Cybersecurity professionals are urging airlines and related aviation companies to immediately strengthen their defenses. Key recommendations include enhancing identity verification processes for help desk staff, implementing phishing-resistant MFA, and conducting rigorous employee training to identify and report social engineering attempts. The coordinated nature of these recent attacks across multiple airlines suggests a strategic pivot by Scattered Spider, making proactive and collaborative security measures paramount for the aviation industry to mitigate this evolving threat.
