News
Scattered Spider Hackers Set Sights on Airlines and Transport After Targeting Retail and Insurance Giants
Cybercrime group “Scattered Spider” is now steering its focus toward North America’s aviation and transportation sectors, marking a sharp escalation in the threat landscape. Experts say the tactics are familiar, the impact is growing, and the victims are no longer confined to insurers and high-street retailers.
WestJet and Hawaiian Airlines are the latest in a line of major names reportedly breached using the same social engineering tricks that have defined this threat actor’s strategy. And it’s no longer a question of if, but when others might fall in line.
From Co-op to Cockpits: How Scattered Spider Has Expanded Its Scope
At first, Scattered Spider’s victims were retail brands. Big ones. In the UK and US, household names like Marks & Spencer and Co-op were caught up in messy cyber intrusions. Then came a pivot — insurance companies like Aflac, Erie, and Philadelphia Insurance were next.
That pivot wasn’t random.
Each wave of attacks seems to zero in on a specific industry. Analysts at Palo Alto Networks and Mandiant believe the group is systematically moving from one sector to another, collecting credentials, data, and leverage. And now, that spotlight is on aviation and transport.
Even though it’s hard to pin down exactly who’s behind every breach, patterns are repeating. And people are paying attention.
WestJet’s Wake-Up Call: A Breach That Didn’t Go Quiet
On June 12, WestJet — Canada’s second-largest airline — went dark internally.
The mobile app went offline. Internal systems got knocked. For a moment, it wasn’t clear how bad things were. Then came reports from BleepingComputer: this wasn’t just a hiccup. It was a full-blown breach, and it was serious.
Turns out, the attacker used a surprisingly simple method to get in.
They reset an employee’s password via self-service, registered their own multi-factor authentication (MFA), and waltzed in through Citrix like they owned the place. Sources close to the matter say Microsoft and Palo Alto Networks were called in immediately.
Hawaiian Airlines Next in Line, American Airlines on Watch
Less than two weeks after WestJet’s issues, Hawaiian Airlines said it had also suffered a cyberattack. They weren’t saying much — yet — but people close to the matter say it’s likely the same crew.
American Airlines, meanwhile, is dealing with an unexplained IT outage. Whether it’s related remains to be seen. The silence from official channels isn’t helping calm nerves.
Charles Carmakal of Mandiant didn’t mince words: “Scattered Spider has added North American airline and transportation organizations to their target list.” His LinkedIn post wasn’t a casual observation. It was a red flag.
This Isn’t Your Average Cyber Gang
Scattered Spider — also known by names like UNC3944, Octo Tempest, and Muddled Libra — isn’t exactly a traditional group. It’s more like a style of cyber warfare than a gang. A method. A playbook.
The people behind it? They’re young. English-speaking. Internet-native. And they know how to play both systems and humans.
They trick help desks.
They spam MFA requests (a tactic called “MFA fatigue”).
They run SIM-swapping scams.
They phish with alarming precision.
These folks often don’t operate alone, either. Many have ties to Russian-speaking ransomware syndicates like BlackCat and RansomHub. That crossover is rare — and dangerous.
Sector-by-Sector: A Table of Their Known Hits
Scattered Spider’s methodical targeting is starting to look like a checklist.
| Sector | Major Victims | Tactics Observed |
|---|---|---|
| Retail | Marks & Spencer, Co-op | Credential theft, phishing, MFA bombing |
| Insurance | Aflac, Erie, Philadelphia Insurance | Social engineering, SIM swapping |
| Tech/Cloud | Twilio, Coinbase, DoorDash | MFA resets, help desk exploits |
| Entertainment | MGM, Caesars, Riot Games | Credential stuffing, ransomware partners |
| Aviation | WestJet, Hawaiian Airlines (suspected) | Password resets, MFA takeover |
Every move is sharper than the last.
Identity Is the Soft Spot. And They Know It.
There’s a reason these attackers keep breaking in through MFA platforms and help desks: because they work. Companies often overlook the basics — like who’s requesting a password reset, and whether that “employee” on the line is even real.
Sam Rubin from Palo Alto Networks made it crystal clear: “Organizations should be on high alert for social engineering attacks and suspicious MFA reset requests.” That’s where it starts. And if it slips through the cracks? It doesn’t end well.
Rubin and others recommend firms review every phone number added to employee profiles, especially during account recovery. Help desks should ask more than just an ID number. Because, frankly, the bad guys already have that info.
What’s the Defense Playbook Look Like?
There’s no silver bullet. But there are red flags and clear advice from the front lines. Google’s Threat Intelligence Group and Palo Alto Networks have already put out detailed guidance on what companies should do — starting yesterday.
Lock down self-service password reset tools.
Monitor MFA device changes closely.
Educate support staff on phishing and spoofing attempts.
Log and review help desk requests involving identity changes.
It’s not just about firewalls or antivirus anymore. These attackers are coming in through identity layers. If a company can’t see who’s doing what across their platforms — Microsoft 365, Okta, Citrix, whatever — they’re flying blind.
How to Bulk Remove Media File Links from WordPress Images
Microsoft to Drop Microsoft Account Requirement for iOS Authenticator Backups
Ether’s Second Wind: Why Ethereum’s Native Token Still Has Serious Upside
Christian Adoptions Put Faith into Action as Believers Uphold Sanctity of Life
Bitcoin’s Quiet Bid for Reserve Status Is Gaining Ground
Selena Gomez Shares Tearful Birthday Tribute to Sister Gracie, Reveals Her Adorable Taylor Swift Obsession
Selena Gomez Shares Sweet Video With Benny Blanco as Couple Sparks Hopes of Future Family
David Hekili Kenui Bell, Beloved Actor from 2025’s Lilo & Stitch, Dies at 36
Quantum Clock Ticking: 25% of Bitcoin Supply May Be Vulnerable
