{"id":3797,"date":"2025-07-02T10:19:46","date_gmt":"2025-07-02T10:19:46","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3797"},"modified":"2025-07-02T10:19:46","modified_gmt":"2025-07-02T10:19:46","slug":"scattered-spider-shifts-focus-to-airlines-as-strikes-hit-hawaiian-westjet-and-now-qantas","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3797","title":{"rendered":"Scattered Spider shifts focus to airlines as strikes hit Hawaiian, WestJet \u2014 and now Qantas"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>A data breach at Qantas via a third-party service is typical of the Scattered Spider attack group, experts say.<\/p>\n<p>\u201cQantas\u2019 cyber breach bears the hallmarks of Scattered Spider, the same group behind recent attacks on Hawaiian Airlines, WestJet, and Marks &amp; Spencer \u2014 likely through compromising a third-party SaaS platform like Salesforce or Zendesk,\u201d Toby Lewis, global head of threat analysis at Darktrace said on Wednesday. \u201cThe attack follows their typical playbook,\u201d he said.<\/p>\n<p>Qantas alerted customers to the breach Wednesday, saying, \u201cOn Monday 30 June 2025, we detected unusual activity on a third-party platform used by a Qantas airline contact centre. We then took immediate steps and contained the incident.\u201d Its own systems remain secure, it said, and although stolen data included \u201csome customers\u2019 names, email addresses, phone numbers, birth dates, and Frequent Flyer numbers,\u201d no Frequent Flyer accounts were compromised, and no passwords or log-in details were accessed. The affected system, which it did not identify, contained no credit card details, personal financial information, or passport details.<\/p>\n<p>Major cybersecurity firms had warned enterprise clients earlier in the week that the notorious Scattered Spider hacking group has shifted its focus to targeting airlines, following confirmed attacks on Hawaiian Airlines and WestJet that security experts say bear the group\u2019s signature social engineering tactics.<\/p>\n<p>\u201cUnit 42 has observed Muddled Libra (also known as Scattered Spider) targeting the aviation industry,\u201d Sam Rubin, senior vice president at Palo Alto Networks\u2019 Unit 42, said in a <a href=\"https:\/\/www.linkedin.com\/posts\/samsrubin_threat-group-assessment-muddled-libra-updated-activity-7344401358281719808-3sj2\/\" target=\"_blank\" rel=\"noopener\">LinkedIn alert<\/a>. \u201cOrganizations should be on high alert for sophisticated and targeted social engineering attacks and suspicious MFA reset requests.\u201d<\/p>\n<p>Google\u2019s Mandiant threat intelligence unit also echoed the warning, with Chief Technology Officer Charles Carmakal confirming in his <a href=\"https:\/\/www.linkedin.com\/posts\/charlescarmakal_scatteredspider-unc3944-socialengineering-activity-7344421800702844931-pBt9\/\" target=\"_blank\" rel=\"noopener\">LinkedIn post<\/a> that the firm is \u201caware of multiple incidents in the airline and transportation sector which resemble the operations of UNC3944 or Scattered Spider.\u201d<\/p>\n<p>The vendor alerts come as multiple incident responders have attributed recent cyberattacks on Hawaiian Airlines and Canada\u2019s WestJet to Scattered Spider, the same group behind devastating 2023 breaches of MGM Resorts and Caesars Entertainment that cost the companies millions of dollars.<\/p>\n<p>The Scattered Spider group is also known as UNC3944, Starfraud, Scatter Swine, Muddled Libra, Octo Tempest, and 0katpus.<\/p>\n<p>The cybersecurity vendor warnings gained credibility Friday when the <a href=\"https:\/\/x.com\/FBI\/status\/1938746767031574565\" target=\"_blank\" rel=\"noopener\">FBI issued its own alert<\/a> confirming the threat. \u201cThe FBI has recently observed the cybercriminal group Scattered Spider expanding its targeting to include the airline sector,\u201d the bureau said, warning that attackers \u201crely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access.\u201d<\/p>\n<p>The FBI warned that \u201conce inside, Scattered Spider actors steal sensitive data for extortion and often deploy ransomware.\u201d The attacks come during peak summer travel season, raising concerns about potential operational disruptions.<\/p>\n<h2 class=\"wp-block-heading\">The third major sector in two months<\/h2>\n<p>The aviation targeting represents Scattered Spider\u2019s third major industry focus in just two months, following concentrated attacks on insurance and retail companies. Between May and June 2025, retailers including <a href=\"https:\/\/www.csoonline.com\/article\/3994369\/how-cisos-can-defend-against-scattered-spider-ransomware-attacks.html?utm=hybrid_search\">Marks &amp; Spencer<\/a>, Harrods, Cartier, Victoria\u2019s Secret, and Adidas suffered breaches attributed to the group, along with insurance giants Aflac and Philadelphia Insurance Companies.<\/p>\n<p>About 70% of <a href=\"https:\/\/reliaquest.com\/blog\/scattered-spider-cyber-attacks-using-phishing-social-engineering-2025\/\">Scattered Spider\u2019s targets<\/a> belong to the technology, finance, and retail trade sectors, with the group demonstrating a pattern of focusing intensively on single industries before pivoting to new sectors.<\/p>\n<p>\u201cScattered Spider has a history of focusing on sectors for a few weeks at a time before expanding their targeting,\u201d Mandiant\u2019s Carmakal said.<\/p>\n<h2 class=\"wp-block-heading\">Sophisticated help desk deception campaigns<\/h2>\n<p>The group has perfected calling corporate help desks and impersonating employees to trick support staff into resetting passwords and adding unauthorized devices to multi-factor authentication systems.<\/p>\n<p>Cybercrime syndicates like Scattered Spider operate as compartmentalized organizations, with distinct teams specializing in different attack phases, said Sunil Varkey, advisor at Beagle Security. \u201cOne such team is the social engineering team \u2014 typically low-cost, non-technical, and composed of skilled communicators \u2014 tasked with manipulating users and help desk staff to bypass security controls.\u201d<\/p>\n<p>Help desks present particularly vulnerable targets because they often operate as separate, outsourced functions with high employee turnover and predefined scripts. \u201cThis is a function with high employee turnover, as it is typically low-paying,\u201d Varkey said. \u201cConsequently, the context based on tenure is very limited in acting beyond the standard script.\u201d<\/p>\n<p>The group\u2019s 2023 <a href=\"https:\/\/www.csoonline.com\/article\/654846\/mgm-ransomware-attack-costs-100-million-in-busy-month-for-breaches.html\">attack on MGM Resorts<\/a> exemplifies their devastating impact \u2014 hackers impersonated an MGM employee and convinced help desk staff to reset credentials, ultimately leading to a ransomware attack that caused $100 million in losses and a 36-hour operational shutdown.<\/p>\n<h2 class=\"wp-block-heading\">Airlines present high-value targets<\/h2>\n<p>Aviation companies are particularly vulnerable because they \u201crely heavily on call centers for a lot of their support needs,\u201d making them susceptible to groups that specialize in help desk social engineering.<\/p>\n<p>\u201cAirlines also hold vast amounts of sensitive data, including customer PII, flight schedules, and operational information,\u201d said Brijesh Singh, cybersecurity expert and additional director general of police, Government of Maharashtra, India, explaining why the group is targeting the sector. \u201cAirlines\u2019 complex global networks and supply chains make them prime targets. Infiltrations can quickly escalate, leading to substantial ransoms or stolen data being sold on the dark web.\u201d<\/p>\n<p>Help desks in aviation and other large sectors are especially exposed because they typically operate as outsourced, non-IT functions removed from day-to-day business operations. \u201cThe assumption with MFA is that if the user passes the second factor, they are a legitimate user,\u201d Varkey said. \u201cIn many cases, MFA may not be OTP-based but rather secret questions, such as \u2018your favorite sport\u2019 or \u2018your mother\u2019s maiden name,\u2019 which are too easy to guess or obtain through social media.\u201d<\/p>\n<p>The FBI noted that the group targets \u201clarge corporations and their third-party IT providers, which means anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Advanced persistence tactics<\/h2>\n<p>Recent incident reports reveal the group\u2019s sophisticated approach to maintaining access. CISA <a href=\"https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa23-320a\">reports<\/a> that Scattered Spider actors \u201coften search the victim\u2019s Slack, Microsoft Teams, and Microsoft Exchange online\u201d and \u201cfrequently join incident remediation and response calls and teleconferences\u201d to understand how security teams are hunting them.<\/p>\n<p>Mandiant is advising clients to \u201cimmediately take steps to tighten up their help desk identity verification processes prior to adding new phone numbers to employee\/contractor accounts\u201d and implement additional verification before resetting passwords or adding MFA devices.<\/p>\n<p><strong>[ See also: <a href=\"https:\/\/www.csoonline.com\/article\/3994369\/how-cisos-can-defend-against-scattered-spider-ransomware-attacks.html\">How CISOs can defend against Scattered Spider ransomware attacks<\/a> ]<\/strong><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>A data breach at Qantas via a third-party service is typical of the Scattered Spider attack group, experts say. \u201cQantas\u2019 cyber breach bears the hallmarks of Scattered Spider, the same group behind recent attacks on Hawaiian Airlines, WestJet, and Marks &amp; Spencer \u2014 likely through compromising a third-party SaaS platform like Salesforce or Zendesk,\u201d Toby [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":3798,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3797","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3797"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3797"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3797\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3798"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3797"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3797"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3797"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}