Warning comes amid ongoing disruptions at Hawaiian Airlines and WestJet
Scattered Spider gained notoriety for the attacks on M&S. It is now expanding its campaign of attacks into the aviation sector targeting major airlines using advanced social engineering techniques.
Notorious cybercrime group Scattered Spider has turned its attention to aviation. In an alert on X, the Federal Bureau of Investigation (FBI) stated that the group is actively targeting airline IT systems by impersonating employees and contractors to manipulate help desk staff.
“These actors rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access,” the alert warned.
The FBI has launched a coordinated response with aviation and industry partners to counter the threat and assist victims in their recovery efforts.
The warning comes amid ongoing disruptions at Hawaiian Airlines, which reported a cyber incident late last week.
While the airline said that its full flight schedule continues to operate safely, it acknowledged that some IT systems had been affected.
“We have taken steps to safeguard our operations, and our flights are operating safely and as scheduled,” the company said.
Similarly, Canadian airline WestJet recently disclosed that it had restricted access for several users following a cybersecurity incident earlier this month. The company is working with third-party cybersecurity firms and forensic experts to investigate, though it has not publicly identified the perpetrators.
Scattered Spider is a hybrid threat actor known for combining long-term intelligence gathering with sudden, high-impact breaches. It shares characteristics with several other threat clusters, including Octo Tempest, Muddled Libra, Oktapus, Scatter Swine, Star Fraud, and UNC3944.
Originally identified for its SIM-swapping exploits, the group has since evolved into one of the most agile cybercriminal syndicates, leveraging helpdesk phishing, insider recruitment, and cloud infrastructure sabotage to infiltrate hybrid environments.
What makes the group particularly dangerous is its use of publicly available breach data and social media research to impersonate real employees with uncanny accuracy.
These tailored attacks often evade detection until critical systems have already been compromised.
The group’s evolving tactics increasingly involve targeting third-party IT providers to gain indirect access to large organisations. This strategy raises concerns for trusted vendors and contractors, who may unknowingly become vectors for intrusion. Once inside, the attackers typically execute data theft, extortion, and ransomware campaigns.
Security firm Halcyon last week issued an advisory, warning that Scattered Spider is broadening its attack surface beyond aviation to also include the US food and manufacturing sectors.
“Scattered Spider attacks disrupt entire organisations from top to bottom, creating ripple effects that threaten financial viability, customer trust, and operational continuity,” Halcyon said.
Sam Rubin, head of Palo Alto Networks’ Unit 42, confirmed on LinkedIn that the group is actively attacking the aviation sector.
He advised organisations to remain vigilant against sophisticated social engineering tactics and unusual MFA reset requests.
Google-owned Mandiant, which recently detailed Scattered Spider’s operations within the US insurance industry, has warned of multiple active incidents in the airline and transportation sectors.
“We recommend that the industry immediately take steps to tighten up their help desk identity verification processes,” said Charles Carmakal, Mandiant CTO.
For companies across the aviation and critical infrastructure sectors, experts say prevention starts not with new tools, but with internal vigilance.
Strengthening help desk protocols, enforcing stricter MFA device approvals, and conducting training based on real-world phishing simulations are all considered key defences.
Click Here For The Original Source.
