Editor’s Note: Story updated 1:55 p.m. Eastern U.S. time with comments from cybersecurity incident responders.
Multiple incident responders said a cyberattack on Hawaiian Airlines is likely the work of cybercriminal group Scattered Spider.
The airline first reported the incident Thursday morning, assuring customers that although the attack took down some IT systems, it was still able to safely operate a full flight schedule and was “working toward an orderly restoration.” The Federal Aviation Administration told Reuters it was assisting the airline to ensure the safety of flights.
A source who asked to remain anonymous to speak freely told Recorded Future News on Friday that Scattered Spider was likely behind the attack on Hawaiian Airlines as well as a similar incident two weeks ago affecting WestJet, the second-largest airline in Canada. The source has been involved in the response to several other Scattered Spider incidents over the last month.
The cyberattack on Calgary-based airline WestJet caused intermittent interruptions and errors on its website and app. Systems were largely restored after five days.
Charles Carmakal, CTO at cybersecurity firm Mandiant, released a warning on Friday afternoon saying the Google-owned company is “aware of multiple incidents in the airline and transportation sector which resemble the operations of UNC3944 or Scattered Spider.”
“We are still working on attribution and analysis, but given the habit of this actor to focus on a single sector we suggest that the industry take steps immediately to harden systems.” Carmakal said.
Incident responders at Palo Alto Networks also released a similar warning saying they are also seeing Scattered Spider attack the aviation industry.
Scattered Spider has garnered headlines for weeks for a string of campaigns targeting high-profile industries. They first began attacking popular retail stores last month before moving to large insurance companies like Aflac and others.
“The actor’s core tactics, techniques, and procedures have remained consistent,” Carmakal explained. “This means that organizations can take proactive steps like training their help desk staff to enforce robust identity verification processes and deploying phishing-resistant MFA to defend against these intrusions.”
Japan Airlines dealt with a similar cyberattack in December that delayed some domestic and international flights.
Temporary warnings
Hawaiian Airlines and Alaska Airlines declined to provide more than what was in Thursday’s statement.
After Hawaiian reported the cyberattack, its website had banners alerting customers to the issue. There was also a banner about the incident on the homepage of Alaska Airlines, which recently acquired Hawaiian Airlines. Neither website had an alert as of Friday morning.
Hawaiian runs 150 flights each day between U.S. mainland cities, Hawaii and countries in the Pacific region — carrying 11 million people in 2024. In its last quarter of being an independent company, it reported $869 million of revenue.
Alaska Airlines, which completed its acquisition of Hawaiian Airlines in September and also runs Horizon Air, reported a net loss for the first quarter of 2025 of $95 million.
Recorded Future
Intelligence Cloud.
