Scattered Spider Hackers Shift Focus to Aviation, Transportation Firms
Summary:
Hackers associated with Scattered Spider” have expanded from targeting insurance and retail sectors to now attacking aviation and transportation industries in North America. Previously, the group focused on retail companies such as M&S and Co-op in the UK and US before shifting to insurance firms, including Aflac, Erie Insurance, and Philadelphia Insurance Companies, where they leveraged social engineering and identity attacks to gain access to corporate networks.
On June 12, Canada’s second-largest airline, WestJet, suffered a cyberattack attributed to Scattered Spider. The attackers reportedly gained access by performing a self-service password reset for an employee, registering their own MFA, and accessing the network through Citrix. This aligns with the group's well-known tactics of targeting help desks and MFA infrastructure to bypass defenses. Following the breach, Palo Alto Networks and Microsoft assisted in the response efforts.
Shortly after, Hawaiian Airlines disclosed it had also been attacked, with sources indicating Scattered Spider was likely responsible, although the airline did not officially confirm the attribution. Currently, American Airlines is facing an IT outage, but it remains unclear if this is related to Scattered Spider activity.
Security Officer Comments:
Experts from Palo Alto Networks’ Unit 42 and Mandiant (Google Cloud) have confirmed that Scattered Spider has shifted focus to the aviation and transportation sectors, with Mandiant urging organizations to tighten identity verification processes, protect self-service password reset platforms, and limit help desk actions that can facilitate unauthorized MFA changes. Organizations are also advised to monitor for suspicious MFA reset requests, new device registrations, and identity-related changes that could signal intrusion attempts. Scattered Spider, also tracked as UNC3944, 0ktapus, and Octo Tempest, is not a single group but a loose network of young, English-speaking threat actors using overlapping tactics including phishing, SIM swapping, MFA fatigue attacks, and real-time social engineering via help desks to compromise large organizations. They often frequent Telegram channels, hacker forums, and Discord servers to coordinate attacks and have a history of partnering with Russian-speaking ransomware groups such as BlackCat, RansomHub, Qilin, and DragonForce for extortion operations.
Suggested Corrections:
To defend against these threats, Google Threat Intelligence Group and Palo Alto Networks recommend organizations secure identity and MFA platforms, implement strict help desk protocols, ensure logging and monitoring of identity-related activities, and provide user training to recognize social engineering attempts. Given Scattered Spider’s expanding focus on critical sectors, the aviation and transportation industries are urged to adopt these mitigation steps promptly to reduce the risk of compromise and operational disruptions.
Link(s):
https://www.bleepingcomputer.com/ne...shift-focus-to-aviation-transportation-firms/
Hackers associated with Scattered Spider” have expanded from targeting insurance and retail sectors to now attacking aviation and transportation industries in North America. Previously, the group focused on retail companies such as M&S and Co-op in the UK and US before shifting to insurance firms, including Aflac, Erie Insurance, and Philadelphia Insurance Companies, where they leveraged social engineering and identity attacks to gain access to corporate networks.
On June 12, Canada’s second-largest airline, WestJet, suffered a cyberattack attributed to Scattered Spider. The attackers reportedly gained access by performing a self-service password reset for an employee, registering their own MFA, and accessing the network through Citrix. This aligns with the group's well-known tactics of targeting help desks and MFA infrastructure to bypass defenses. Following the breach, Palo Alto Networks and Microsoft assisted in the response efforts.
Shortly after, Hawaiian Airlines disclosed it had also been attacked, with sources indicating Scattered Spider was likely responsible, although the airline did not officially confirm the attribution. Currently, American Airlines is facing an IT outage, but it remains unclear if this is related to Scattered Spider activity.
Security Officer Comments:
Experts from Palo Alto Networks’ Unit 42 and Mandiant (Google Cloud) have confirmed that Scattered Spider has shifted focus to the aviation and transportation sectors, with Mandiant urging organizations to tighten identity verification processes, protect self-service password reset platforms, and limit help desk actions that can facilitate unauthorized MFA changes. Organizations are also advised to monitor for suspicious MFA reset requests, new device registrations, and identity-related changes that could signal intrusion attempts. Scattered Spider, also tracked as UNC3944, 0ktapus, and Octo Tempest, is not a single group but a loose network of young, English-speaking threat actors using overlapping tactics including phishing, SIM swapping, MFA fatigue attacks, and real-time social engineering via help desks to compromise large organizations. They often frequent Telegram channels, hacker forums, and Discord servers to coordinate attacks and have a history of partnering with Russian-speaking ransomware groups such as BlackCat, RansomHub, Qilin, and DragonForce for extortion operations.
Suggested Corrections:
To defend against these threats, Google Threat Intelligence Group and Palo Alto Networks recommend organizations secure identity and MFA platforms, implement strict help desk protocols, ensure logging and monitoring of identity-related activities, and provide user training to recognize social engineering attempts. Given Scattered Spider’s expanding focus on critical sectors, the aviation and transportation industries are urged to adopt these mitigation steps promptly to reduce the risk of compromise and operational disruptions.
Link(s):
https://www.bleepingcomputer.com/ne...shift-focus-to-aviation-transportation-firms/