The FBI has recently identified an expansion in the targeting activities of the prolific cybercriminal group known as ‘Scattered Spider’, which now includes the airline industry.
These actors primarily use social engineering tactics, often posing as employees or contractors to manipulate IT help desks into granting unauthorized access. A common technique involves bypassing multi-factor authentication (MFA) by persuading support staff to register fraudulent MFA devices to compromised accounts.
Scattered Spider typically focuses on large corporations and their third-party IT service providers, placing the entire airline ecosystem — including trusted vendors and contractors — at potential risk.
Once inside a network, the group is known to steal sensitive data for extortion and may deploy ransomware. The FBI is working closely with aviation and industry partners to counter this threat and support affected organizations.
Experts from Google’s cybersecurity arm, Mandiant, and Palo Alto Networks’ Unit 42 have also confirmed observing similar activity, with the group increasingly focused on the aviation industry.
These threat actors have followed a sector-by-sector attack strategy. Initially, they targeted hotel chains, casinos, and major tech companies. More recently they targeted major retail companies in the UK and US, including luxury department store – Harrods, Marks & Spencer and Co-op. Their attention then shifted to the insurance sector, where organizations such as Aflac, Erie Insurance, and Philadelphia Insurance Companies were impacted—though attribution to Scattered Spider was not been confirmed.
Scattered Spider is made up primarily of young, English-speaking hackers—often teenagers or young adults—who are financially motivated. Known for their use of social engineering and phishing, the group often resorts to aggressive methods, including impersonation and threats, to infiltrate corporate networks. They frequently seek to steal sensitive data and may deploy ransomware to extort victims.
Aviation Industry Under Siege
On June 12, Canada’s second-largest airline, WestJet, experienced a cyberattack that briefly disrupted internal systems and its mobile app. Sources informed BleepingComputer that both Palo Alto Networks and Microsoft are involved in the response effort.
The breach has been attributed to Scattered Spider, who allegedly infiltrated WestJet’s data centers and Microsoft Cloud infrastructure. The attackers reportedly exploited the self-service password reset feature to gain initial access—registering their own multi-factor authentication (MFA) method and using Citrix for remote network access.
While identity-based attacks are common across various threat groups, Scattered Spider is particularly known for targeting help desks, password systems, and MFA infrastructure—often using social engineering to bypass security measures.
Shortly after the WestJet incident, Hawaiian Airlines disclosed it had also suffered a cyberattack. Although the company did not attribute the breach, sources suggest Scattered Spider may be responsible.
Industry Experts Confirm New Targeting Trends
Sam Rubin, SVP of Consulting and Threat Intelligence at Palo Alto Networks, confirmed that Scattered Spider—also tracked as “Muddled Libra”—has begun targeting the aviation sector.
“Unit 42 has observed Muddled Libra (also known as Scattered Spider) targeting the aviation industry,” Rubin said. “Organizations should be on high alert for sophisticated and targeted social engineering attacks and suspicious MFA reset requests.”
Charles Carmakal of Mandiant echoed the warning, noting that the group’s targeting now includes North American airline and transportation companies.
“ALERT: Scattered Spider has added North American airline and transportation organizations to their target list,” Carmakal posted. “Mandiant (part of Google Cloud) is aware of multiple incidents resembling operations by UNC3944 or Scattered Spider. We strongly advise organizations to tighten help desk identity verification processes before allowing any changes such as new phone numbers, password resets, MFA device registrations, or release of employee information.”
A Closer Look At Scattered Spider
Scattered Spider, also known as UNC3944, is a cybercriminal group primarily composed of teenagers and young adults, believed to reside in the United States and the United Kingdom.
The group rose to prominence following high-profile cyberattacks and extortion attempts targeting major casino operators Caesars Entertainment and MGM Resorts International. Beyond these, they have also reportedly targeted companies such as Visa, PNC Financial, Transamerica, New York Life, Synchrony Financial, Truist Bank, Twilio, and, more recently, Snowflake customers.
Alternate Names and Affiliations
While most commonly referred to as Scattered Spider in media and press releases, the group has also been labeled Star Fraud, Octo Tempest, Scatter Swine, and Muddled Libra. They are considered part of a broader cybercriminal ecosystem known as “the Community” or “the Com”, which includes individuals responsible for breaches of major U.S. tech firms.
Origins and Early Tactics
Formed around May 2022, Scattered Spider initially focused on attacks against telecommunications companies. Their methods included SIM swapping, MFA fatigue attacks, and phishing via SMS and Telegram. They exploited vulnerabilities like CVE-2015-2291, a Windows anti-DoS flaw, to disable security software and evade detection. The group is known for its technical sophistication, particularly in cloud platforms like Microsoft Azure, Google Workspace, and AWS, often leveraging legitimate remote-access tools.
Transition to Critical Infrastructure & Casinos
After targeting infrastructure sectors, the group shifted focus to casinos in 2023.
MGM Resorts Hack
On September 11, 2023, Scattered Spider infiltrated MGM Resorts by impersonating an employee during a call to the company’s help desk, using LinkedIn for social engineering. The next day, MGM reported the breach in a Form 8-K filing with the SEC. The attack disabled hotel systems, including ATMs, room keys, food and beverage credits, and parking charges. Scattered Spider partnered with ALPHV, a ransomware-as-a-service (RaaS) provider.
In July 2024, a 17-year-old from the UK was arrested in connection to the hack. He was released on bail pending trial.
Caesars Entertainment Hack
Scattered Spider reportedly extorted Caesars Entertainment by demanding a $30 million ransom, of which the company paid $15 million. The breach compromised personal data including driver’s license and potentially Social Security numbers. Caesars admitted it could not guarantee the deletion of the stolen data.
There is some dispute over whether Scattered Spider was solely responsible for the Caesars attack, with conflicting reports suggesting involvement from another group.
Aftermath and Lawsuits
Both companies experienced stock drops following the attacks. MGM’s CEO admitted the company was “completely in the dark” during the incident. The FTC and FBI launched investigations, and Moody’s warned of potential credit rating downgrades due to MGM’s operational disruption.
Class-action lawsuits were filed against both MGM and Caesars, alleging negligence in securing customer data. In January 2025, MGM settled for $45 million.
Snowflake Data Breaches
Scattered Spider members were later tied to breaches involving Snowflake customers, where they stole large volumes of data and demanded ransoms. Victims included AT&T, Ticketmaster, Advance Auto Parts, LendingTree, and Neiman Marcus, among nearly 100 organizations.
