Scattered Spider Cyber Threat Actors Redirect Operations Towards Aviation and Transportation Industries

Threat actors associated with the “Scattered Spider” group have broadened their operational scope to encompass the aviation and transportation sectors, following prior assaults on insurance and retail industries.

Employing a sector-specific strategy, these cybercriminals initially focused on retail organizations such as Marks & Spencer and Co-op in the United Kingdom and in the United States. They subsequently pivoted to target insurance companies, with notable incidents at Aflac, Erie Insurance, and Philadelphia Insurance Companies linked to their activities.

Cyberattacks on the Aviation Sector

On June 12, WestJet, Canada’s second-largest airline, experienced a cyberattack that temporarily disrupted internal services and its mobile application. Following the breach, it was reported that Palo Alto Networks and Microsoft were engaged to assist in the incident response.

This attack was attributed to Scattered Spider, which reportedly compromised the airline’s data centers and Microsoft Cloud infrastructure. Sources indicated that the threat actors gained unauthorized access by executing a self-service password reset for an employee, which allowed them to register their own multi-factor authentication (MFA) and secure remote access through Citrix.

While identity attacks are common, Scattered Spider has distinguished itself by routinely targeting help desks and the underlying infrastructure supporting password management and MFA.

Following this incident, Hawaiian Airlines disclosed they were also victims of a cyberattack; however, specific details regarding the attack’s attribution remain undisclosed. Nonetheless, sources suggest that the same group may be responsible.

Confirming the increasing focus on aviation, Sam Rubin, Senior Vice President of Consulting and Threat Intelligence at Palo Alto Networks, remarked on LinkedIn that Scattered Spider has escalated its targeting efforts within this industry. He urged vigilance against sophisticated social engineering attacks and suspicious MFA reset requests.

Additionally, Charles Carmakal from Mandiant cautioned that Scattered Spider has expanded its focus to include airlines and transportation organizations in North America, emphasizing several incidents resembling their modus operandi.

Carmakal recommended immediate enhancements to identity verification processes at help desks, urging organizations to strengthen protocols prior to modifying employee accounts in scenarios likely to be exploited by these threat actors.

American Airlines is currently experiencing an IT outage, though it remains unclear whether this incident is linked to a security breach. Attempts to communicate with the airline yielded no response.

Overview of Scattered Spider

“Scattered Spider,” also known in the cyber community by several aliases including 0ktapus, Starfraud, UNC3944, Scatter Swine, Octo Tempest, and Muddled Libra, represents a classification of threat actors proficient in employing social engineering, phishing, MFA fatigue, and SIM swapping techniques to breach large organizations.

This group is primarily composed of young, English-speaking individuals with varied skill sets who are active participants in hacker forums, Telegram channels, and Discord servers, where they collaboratively orchestrate attacks in real-time.

While often labeled as a cohesive unit, Scattered Spider encompasses threat actors utilizing similar tactics, complicating tracking efforts due to the amorphous nature of their network.

Notably, Scattered Spider operatives have been observed collaborating with Russian-speaking ransomware groups such as BlackCat, RansomHub, and Qilin, indicating a transnational approach to cybercrime.

Previously documented attacks attributed to Scattered Spider include incidents targeting MGM Resorts, Marks & Spencer, Co-op, Twilio, Coinbase, DoorDash, Caesars, MailChimp, Riot Games, and Reddit.

Organizations aiming to defend against these types of threats should prioritize comprehensive visibility across their entire infrastructure, particularly focusing on identity management systems and critical services. Protecting self-service password reset platforms and help desks—frequent targets of these attackers—is essential.

Recommendations provided by Google Threat Intelligence Group and Palo Alto Networks offer guidance on strengthening defenses against the recognized tactics employed by Scattered Spider. Administrators are encouraged to familiarize themselves with these resources and fortify their identity management processes accordingly.

Update: As of June 27, 2025, it has been confirmed that American Airlines is experiencing an IT outage.