After hopping from UK retail to US retail to US insurance firms, the hacking group “Scattered Spider” appears to have switched industries once again. The FBI is advising that North American airlines should be on alert for cyber attacks, as well as their assorted vendors and contractors.
Since it re-emerged several months ago, Scattered Spider has been keeping to its typical pattern of attacking particular industries and regions for several weeks at a time before moving on. The first known successful cyber attack on one of these airlines was on June 13, meaning that the group will likely stick to its current pattern until at least mid-July and possibly a little longer if it continues to find success in penetrating systems.
Scattered Spider continues to weave the same web
For the time being, the FBI is warning the entirety of the airline industry (and its supporting vendors) to be on the lookout for the usual Scattered Spider approach of calling up help desks and trying to convince support staff to reset an employee password for them. After rampaging through 2023 with numerous high-profile attacks, the group went quiet in 2024 after a series of arrests of key figures but reformed several months ago and began a new campaign. It started out grabbing headlines by compromising several of the UK’s biggest retailers, but has since had more limited success in the sequence of industries it has since targeted.
That pattern seems to be holding with the airlines, at least initially. The two airlines that were compromised, Hawaiian Airlines and WestJet, are both reporting no serious business disruption and did not delay or cancel any flights after their cyber attacks. WestJet had a short period of downtime for its website and mobile app just after its attack, the initial one recorded on June 13, but bounced back fairly quickly. It is unclear if Scattered Spider stole any data during these compromises, but it would at least seem their ransomware had limited effect.
This may be because the group has not yet shown any major updates to the tactics it has been employing since 2023, aside from switching ransomware providers. It counts on using UK and US residents who speak English fluently to do its social engineering, which greatly helped to blindside help desks two years ago. There is now plenty of tape on the group’s cyber attacks, however, and it seems preparedness has improved.
Scattered Spider cyber attacks still pose substantial risk, despite lower rate of success
Though it does not appear at this point that the group will be replicating the scope of its monstrous 2023 campaign, organizations should still be wary. The group has reportedly adopted a more “fluid” posture in which participants in its cyber attacks come and go, and the arrests needed to knock it out for good may well now be much more difficult to make. It remains arguably the most sophisticated group of criminals in terms of social engineering and pulling off SIM swaps, and is more than capable of updating its tactics with creative new measures if results begin to flag.
Some security researchers are pointing to evidence that this may already be happening, noting that the WestJet attack involved exploitation of a backend API to gain access (an approach that many other advanced criminal groups often employ). Though its usual tactic is to look up employees on LinkedIn and proceed with social engineering from there, it has never stuck strictly to that approach. Prior 2023 cyber attacks also saw it deploy “authentication fatigue” attacks to overwhelm employee multi-factor protection methods, and initial phishing of targets by both text message and Telegram.
