Scattered Spider is actively targeting airlines with ransomware and data extortion attacks, the FBI has warned.
“The FBI is actively working with aviation and industry partners to address this activity and assist victims,” the agency wrote in a LinkedIn post on June 27.
The FBI has also encouraged early reporting of incidents to prevent further compromise.
The alert comes amid several reported cyber incidents impacting North American airlines in recent weeks.
This includes Canadian-based WestJet Airlines revealing on June 13 that it was responding to a cybersecurity incident involving internal systems and the WestJet app, restricting access for several users.
On June 26, Hawaiian Airlines disclosed it had been impacted by a “cybersecurity event” impacting some of its IT systems.
Flight operations remain unaffected for both airlines.
No further details of the separate incidents have been provided at the time of writing. It is unknown if they are ransomware related, what, if any, customer data has been impacted or if the perpetrators are linked to Scattered Spider.
FBI Alert on Scattered Spider’s Social Engineering
The latest FBI alert noted that Scattered Spider relies on social engineering techniques for initial access. This often involves impersonating employees or contractors to deceive IT help desks into harvesting credentials of high-value users, such as system administrators, CFOs, COOs and CISOs.
These approaches attempt to bypass multi-factor authentication (MFA), such as convincing help desk services to add unauthorized MFA devices to compromised accounts.
“They target large corporations and their third-party IT providers, which means anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk,” the FBI said.
“Once inside, Scattered Spider actors steal sensitive data for extortion and often deploy ransomware,” the alert continued.
The Scattered Spider ransomware collective hit the headlines in late April, when it was linked to a string of attacks on high profile UK retailers – Marks & Spencer (M&S), The Co-op and Harrods.
These incidents have resulted in significant financial costs for M&S and The Co-op due to operational disruptions.
Investigators collaborating with M&S disclosed that Scattered Spider leveraged compromised credentials from Tata Consultancy Services (TCS), a major IT outsourcing firm, to infiltrate systems.
