The US Federal Bureau of Investigation (FBI) has issued a public warning about a hacking group known as Scattered Spider, which has recently expanded its cyberattack operations to include targets in the airline industry.
In a statement posted on X, the FBI said it is actively coordinating with aviation stakeholders and industry partners to counter the group’s activities and assist affected organizations. The group relies on advanced social engineering tactics, often impersonating employees or contractors to trick IT help desks into granting unauthorized access frequently by bypassing multi-factor authentication (MFA) protections.
“These techniques frequently involve methods to bypass multi-factor authentication (MFA), such as convincing help desk services to add unauthorized MFA devices to compromised accounts. They target large corporations and their third-party IT providers, which means anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk,” the FBI noted.
Scattered Spider, also known as Muddled Libra or UNC3944, has been linked to high-profile breaches in the past, including the 2023 attacks on MGM Resorts and Caesars Entertainment. The group is believed to be part of a broader, loosely organized cybercrime collective called “the Com,” which includes gangs like LAPSUS$. Scattered Spider is believed to be composed, at least in part, of young threat actors based in Western countries.
Executives from cybersecurity units at Palo Alto Networks and Google-owned Mandiant have both confirmed the group’s increased focus on the aviation and transportation sectors, without naming specific airlines. Recently, Hawaiian Airlines and Canada’s WestJet have suffered cyber incidents. In WestJet’s case, the attack disrupted access to its mobile app and some internal systems, affecting an undisclosed number of users, and Hawaiian Airlines wrote in a SEC filing that “identified a cybersecurity incident affecting certain information technology systems” and that “lights are currently operating safely and as scheduled.”
A recent report from cybersecurity firm ReliaQuest described a targeted attack last month in which the group impersonated a company’s chief financial officer (CFO), using detailed personal information to convince help desk staff to reset credentials and MFA settings.
