update Hawaiian Airlines said a “cybersecurity incident” affected some of its IT systems, but noted that flights are operating as scheduled. At least one researcher believes Scattered Spider, which previously targeted retailers and insurance companies, could be to blame.
The airline, which is owned by Alaska Air Group and averages 235 daily flights, first discovered the compromise on June 23, according to a June 27 filing with the US Securities and Exchange Commission.
“Upon learning of this event, we immediately took steps to safeguard Hawaiian’s operations and systems,” the Form 8-K reported. “Flights are currently operating safely and as scheduled. We have engaged the relevant authorities and experts to assist in our investigation and ongoing remediation efforts.”
Charles Carmakal, the CTO of Google’s Mandiant Consulting security research arm, believes the attack bears the hallmarks of the Scattered Spider gang – which earlier this year targeted retail outlets like Marks & Spencer before moving on to insurance companies.
“Mandiant is aware of multiple incidents in the airline and transportation sector which resemble the operations of UNC3944 or Scattered Spider. We are still working on attribution and analysis, but given the habit of this actor to focus on a single sector we suggest that the industry take steps immediately to harden systems,” said Carmakal.
“The actor’s core tactics, techniques, and procedures have remained consistent. This means that organizations can take proactive steps like training their help desk staff to enforce robust identity verification processes and deploying phishing-resistant MFA to defend against these intrusions. Additional advice can be found in our previous hardening guide.”
The airline first disclosed the digital intrusion at 7:45am HST on its website, and in a 1pm HST update said it is “continuing to address a cybersecurity event,” and that the event has not affected customers’ travel.
“As we navigate the ongoing event, we remain in contact with the appropriate experts and federal authorities,” the alert continued. “We will provide updates as more information is available.”
Neither Hawaiian Airlines nor its parent company Alaska Air Group immediately responded to The Register‘s inquiries, including whether customer or employee data was stolen in the cyberattack, and whether the perpetrators deployed ransomware.
The US Federal Aviation Administration told The Register that its safety office responsible for airline oversight remains in contact with Hawaiian Airlines.
“There has been no impact on safety, and the airline continues to operate safely,” an FAA spokesperson said. “We are monitoring the situation.”
Neither the FBI nor CISA immediately responded to our requests for comment.
Hawaiian Airlines’ disclosure follows a similar one by Canadian airline WestJet, which, on June 13 said a “cybersecurity incident” disrupted some of its internal systems and its app, limiting customers’ access to the company’s website and WestJet app.
In its most recent update posted on June 18, WestJet said it has made “significant progress” on resolving the issue, and launched an investigation with an assist from “third-party cyber security experts and forensic specialists.”
It’s unknown whether the intruders accessed any sensitive data in the digital break-in, according to WestJet: “We are working as quickly as possible to assess any potential data in scope.” ®
Updated at 17:52 GMT to reflect possible attribution to Scattered Spider.
Click Here For The Original Source.
