Alarm bells were being sounded that Scattered Spider, a notoriously aggressive and prolific hacking group, had a new favourite target — the airline sector.
The FBI and tech companies Google and Palo Alto Networks put out alerts over the weekend.
They warned of multiple incidents in the airline and travel industry that resembled the group’s operations.
Now it is believed Australia might have fallen victim to the cybercriminals.
Qantas has announced that 6 million customer accounts had been exposed in a “significant” cyber attack.
The airline would not confirm if it was the target of Scattered Spider, but experts said the attack appeared to have its signature moves.
What is Scattered Spider?
Scattered Spider, or UNC3944, is a loose-knit but aggressive hacking group.
The “scattered” gang of affiliates goes by various names and aliases, such as Octo Tempest, Star Fraud, Scatter Swine and Muddled Libra.
The members are believed to be mainly young native English speakers from the US and the UK.
Some have reportedly been as young as 16 years old.
Experts have said the tactics employed by the group are aggressive, and they specialise in social engineering attacks.
(Unsplash: Taskin Ashiq)
Since emerging in 2022, together the gangs have been accused of breaking into and stealing data from some of the world’s largest companies.
They are alleged to be behind more than 100 targeted attacks across industries including telecommunications, finance, retail and gaming.
The group goes from sector to sector, often targeting sectors that face significant customer pressure. And they aim for the big fish.
In 2023, hackers tied to Scattered Spider broke into gaming companies MGM Resorts and Caesars Entertainment, partially paralysing casinos and knocking slot machines out of commission.
The $US14 billion ($21 billion) gaming giant MGM Resorts operates over 30 hotels and casinos around the world, including in Macau and Las Vegas.
UK-based store Marks & Spencer has also been targeted by cybercriminals. (Reuters: Suzanne Plunkett)
The group has also caused mayhem across the UK, hitting some of the largest retail brands, including Harrods, Co-Op and Marks & Spencer (M&S).
A recent cyber attack on M&S disrupted the company’s online business over weeks.
It has resulted in about 300 million pounds ($600 million) in lost operating profit.
What are the group’s tactics?
Scattered Spider is known to use tactics such as social engineering, where hackers trick people into letting them into systems.
They essentially target human vulnerabilities.
The chief executive of M&S confirmed that “threat actors” had gained access to the retailer’s systems via one of its contractors using social engineering techniques.
The group typically exploits an organisation’s IT helpdesk, using publicly available information to pose as a staff member.
David Tuffley, a cybersecurity expert from Griffith University, said the tactics could be “pretty aggressive”.
“They would know just how to talk in the right way, to get people to do what it is they want them to do,”
he said.
The impersonations could take place through phishing attacks, which is often fake emails or text messages, or the hackers may even make phone calls directly to the help desk.
Scattered Spider were known to use MFA bombing to gain access to platforms. (Getty Images: Andrew Brookes)
Daswin De Silva, a professor of AI and analytics and director of AI strategy at La Trobe University, said the tactics were “really manipulative”.
“Help desks want to resolve issues as quickly as possible,” Professor De Silva told the ABC.
“With a large organisation that has outsourced some of their business functions, they tend to be removed from the day-to-day operations of the main business.
“When there is a disconnect like this … the security can be compromised.”
Another tactic the group is known to use is called multi-factor authentication (MFA) bombing or MFA fatigue.
It involves attackers repeatedly sending MFA requests, such as notifications to a user’s device, in an attempt to overwhelm them and trick them into approving a login.
This could enable them to gain access to the data warehousing platform, or manipulate password resets.
What does Qantas say?
Qantas has released a statement saying that it detected unusual activity on Monday, on a third-party platform used by a contact centre.
The airline said 6 million customers had service records in the platform, and it believed the proportion of stolen data would be “significant”.
An initial review confirmed the data included some customers’ names, email addresses, phone numbers, birth dates and frequent flyer numbers, the airline said.
“Importantly, credit card details, personal financial information and passport details are not held in this system,” the statement read.
“No frequent flyer accounts were compromised nor have passwords, PIN numbers or login details been accessed.”
Qantas CEO Vanessa Hudson apologised to those impacted by the hack and recognised the uncertainty it has caused. (AAP: Bianca De Marchi)
The breach comes as the FBI has sent out a notification saying it has recently observed Scattered Spider “expanding its targeting to include the airline sector”.
“They target large corporations and their third-party IT providers, which means anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk,” the FBI said in a statement posted on X.
“The FBI is actively working with aviation and industry partners to address this activity and assist victims.”
Alaska Air Group-owned Hawaiian Airlines and Canada’s WestJet have both recently reported being struck by unspecified cyber incidents.
Late last week, the FBI sent out a statement saying it had observed that hacker group Scattered Spider were expanding to target the airline sector. (Reuters: Carlo Allegri)
Qantas said it had notified the Australian Cyber Security Centre and the Office of the Australian Information Commissioner.
A spokesperson for CyberCX told ABC News the incident had all the hallmarks of an attack from the Scattered Spider hacker group.
Professor Tuffley said he “wouldn’t be too surprised” if the group was behind the attack.
“Qantas are actually pretty good as far as cybersecurity goes, but obviously their call centre in the Philippines or wherever it was wasn’t quite so good,” he said.
What happens to the data?
Previous breaches on major Australian companies including Medibank and Optus have highlighted how cyber attacks can see people’s data used as a bargaining threat to make companies pay a ransom.
Another concern for Qantas customers is that their personal data could be onsold and then used to conduct fraud.
Professor Tuffley said that often, data from large-scale breaches would be combined to assemble enough information to impersonate someone.
Criminals could then carry out scams such as SIM swapping or financial fraud.
“They could contact a telco and say ‘Hi, this is Dave, I lost my phone and I want to get a new SIM installed,'” he said.
“The telco will go through all sorts of security vetting, but if they’ve got enough information about you, then they can succeed at that.”
Professor De Silva said often after a major breach, there would be a secondary round of attacks based on the data that was stolen.
That could involve using the data to ask for password resets or security check-ups.
“The attack was first detected on Monday, but customers and the public were informed on Wednesday. This delay translates to more than 48 hours for subsequent targeted/personalised attacks towards individual customers,” Professor De Silva said.
“The Australian government and relevant authorities must do better in managing the communications, impact and loss following cyber attacks.”
Qantas customers are being advised to stay vigilant and check accounts and transactions regularly, including frequent flyer accounts.
As a general piece of advice, experts say individuals should never reuse passwords on any system or service.
Loading…
