(Photo by Kevin Carter/Getty Image)
As summer travel ramps up, airlines face another problem beyond crowded terminals: A notorious hacking group has expanded its scope to target the aviation industry.
On Friday, cybersecurity experts warned that the cybergang Scattered Spider is focusing on airline and transportation providers, a day after Hawaiian Airlines disclosed it had experienced a cyberattack. Earlier this month, Canadian airline WestJet also reported a cyber incident.
Google’s cybersecurity unit, Mandiant, is “now aware of multiple incidents in the airline sector that resemble Scattered Spider,” said Mandiant’s chief analyst John Hultquist tweeted.
Scattered Spider grabbed headlines in 2023 for hacking MGM Resorts, which led to a major IT outage at the casino. US law enforcement later charged five suspects of the hacking group. But since then, the gang has returned, targeting retailers, insurance providers, and now airlines.
Scattered Spider has stood out from other cybercriminal groups because its members are native-English speakers. The gang also excels at using social engineering tactics, such as posing as help support staff, to trick employees at victim companies into handing over access to passwords or installing remote access software on their computers. The goal is to steal confidential data and install ransomware to extort victim companies for millions in return.
As a result, "the industry should button up its call centers where this actor has had a lot of success with social engineering," Hultquist says.
Cybersecurity company Palo Alto Networks also noticed Scattered Spider targeting the aviation industry. In a LinkedIn post, SVP Sam Rubin noted airline providers should watch out for “suspicious” multi-factor authentication requests. That’s because Scattered Spider has also been known to send fake SMS text messages impersonating login systems to phish employees.
In addition, US cyber authorities have observed the group using brute-force tactics by bombarding a company's login system with push notifications, hoping to trick victims into approving access out of frustration or confusion.
In response to the threat, Mandiant CTO Charles Carmakal wrote on LinkedIn: “We recommend that the industry immediately take steps to tighten up their help desk identity verification processes prior to adding new phone numbers to employee/contractor accounts (which can be used by the threat actor to perform self-service password resets).”
So far, Hawaiian Airlines and WestJet haven’t confirmed if Scattered Spider is behind the two cyberattacks. But Hawaiian Airlines said in a statement: “We continue to safely operate our full flight schedule, and guest travel is not impacted.”