The Federal Bureau of Investigation (FBI) said that it has recently observed the cybercriminal group Scattered Spider expanding its targeting to include the airline sector. These actors rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access.
“These techniques frequently involve methods to bypass multi-factor authentication (MFA), such as convincing help desk services to add unauthorized MFA devices to compromised accounts,” the FBI wrote in a message on X, formerly Twitter. “They target large corporations and their third-party IT providers, which means anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk.”
The agency assessed that once inside, Scattered Spider actors steal sensitive data for extortion and often deploy ransomware.
The FBI is actively working with aviation and industry partners to address this activity and assist victims. “Early reporting allows the FBI to engage promptly, share intelligence across the industry, and prevent further compromise. If you suspect your organization has been targeted, please contact your local FBI office,” it added.
Hawaiian Airlines and Canada’s WestJet confirmed that they were still assessing the fallout from recent cyberattacks, though the airlines did not name the perpetrators. More victims in the aviation industry could come forward, sources briefed on the investigation said.
WestJet said in a June 18 statement that it has made significant progress in safeguarding its digital environment and supporting the specialized teams working to resolve the cyber incident that began on June 13, 2025. “As soon as a cybersecurity incident was identified, we took immediate action, including but not limited to launching an investigation, engaging world-class third-party cyber security experts and forensic specialists, and notifying our people and guests of our ongoing efforts.”
“We are working as quickly as possible to assess any potential data in scope,” it added. “Our investigations are ongoing, and we will provide updates as appropriate in the future. We have engaged with law enforcement and are complying with our regulatory obligations in the meantime. The protection of our data is of utmost importance to us, and we thank all of our guests for their continued patience at this time.”
Hawaiian Airlines said in its latest cybersecurity update on June 26 that it “is continuing to address a cybersecurity event that has affected some of our IT systems. We continue to safely operate our full flight schedule, and guest travel is not impacted. As we navigate the ongoing event, we remain in contact with the appropriate experts and federal authorities. We will provide updates as more information is available.”
Mandiant (part of Google Cloud) is aware of multiple incidents in the airline and transportation sector that resemble the operations of UNC3944 or Scattered Spider.
Charles Carmakal, CTO and Board Advisor at Mandiant, recommended in a LinkedIn post that “the industry immediately take steps to tighten up their help desk identity verification processes prior to adding new phone numbers to employee/contractor accounts (which can be used by the threat actor to perform self-service password resets), reset passwords, add devices to MFA solutions, or provide employee information (e.g. employee IDs) that could be used for a subsequent social engineering attacks.”
He added that Mandiant published hardening guidance a few weeks ago that will help organizations defend against Scattered Spider and other groups that use similar TTPs. “This guidance is based on thousands of hours of responding to incidents and successfully eradicating these actors from victim networks. Scattered Spider has a history of focusing on sectors for a few weeks at a time before expanding their targeting. Regardless if your industry is currently targeted, organizations should review the below guidance to improve their defenses.”
Sam Rubin, senior vice president of consulting and threat intelligence at Unit 42 by Palo Alto Networks, wrote in a LinkedIn post that “Unit 42 has observed Muddled Libra (also known as Scattered Spider) targeting the aviation industry. Organizations should be on high alert for sophisticated and targeted social engineering attacks and suspicious MFA reset requests.”
“Once inside, the group quickly escalates privileges, disables recovery systems, exfiltrates sensitive data, and detonates ransomware, often across hybrid cloud and on-prem infrastructure,” Anthony M. Freed, a research and communications director, wrote in a Monday Halcyon blog post. “In a matter of hours, the group can breach, establish persistent access, harvest sensitive data, disable recovery mechanisms, and detonate ransomware across both on‑premises and cloud environments.”
Freed noted that what sets Scattered Spider apart is its methodical preparation. “Operators study their targets closely, using breach data and social media to craft impersonations so realistic that even trained support staff may be fooled. The group is part of a loosely connected collective with ties to other criminal groups and has been active since at least 2021.”
He added that researchers stress that the core weakness isn’t always in technology—it’s in human-driven identity workflows. “Organizations must rethink how help desk authentication works, harden identity verification procedures, and ensure that employees are trained to spot and resist these kinds of sophisticated deception tactics.”
Last October, the Health Sector Cybersecurity Coordination Center of the U.S. Department of Health and Human Services released a profile on Scattered Spider, a financially motivated group active since 2022. The group has targeted multiple industries, including healthcare, using legitimate tools, malware, and ransomware variants. Known for advanced social engineering like voice phishing and AI-generated voice spoofing, Scattered Spider is expected to keep evolving its tactics, techniques, and procedures (TTPs) to avoid detection.
U.S. security agencies released in November 2023 a joint Cybersecurity Advisory (CSA) warning that the Scattered Spider cybercriminal group was targeting commercial facilities sectors and subsectors. The hackers are known for their involvement in data theft for extortion, utilizing various social engineering techniques. Additionally, they have recently incorporated the use of BlackCat/ALPHV ransomware alongside their usual TTPs.
