The Spider in the Cockpit: How Hackers Are Targeting Airlines Next
Scattered Spider Creeps Into Airlines: Why You Should Care
Who Are These Hackers?
Scattered Spider (also tracked as UNC3944, Star Fraud, Octo Tempest) emerged around May 2022, originally hitting telecom firms with SMS phishing and SIM swapping. The group is strikingly young—mostly teens and 20-somethings from the U.S., the U.K., and Canada—and unusually fluent in English, which gives them an edge in socially engineering through help desk and IT channels .
Described as a “loose collective” more than a rigid hierarchy, they collaborate through forums, Telegram, and Discord—as part of a broader cybercriminal “Com” ecosystem .
What Have They Done—And What’s Next?
Scattered Spider has weighed in on some of the most high-profile digital intrusions in recent years:
-
September 2023: Disrupted MGM Resorts and Caesars Entertainment. MGM allegedly lost over $100 million in direct costs and operational chaos.
-
Expanded into the retail and insurance sectors in the U.K. and U.S., targeting companies like Marks & Spencer, Harrods, Aflac, Erie Insurance.
-
This month, airlines joined the hit list. Hawaiian Airlines and WestJet confirmed breaches in early to mid-June, with cybersecurity firms attributing the tactics to this group.
Their approach is consistent: no malware blitz, but stealthy infiltration through social engineering, MFA fatigue, phishing, and SIM-swapping. Once inside, they deploy remote‑access tools (TeamViewer, Ngrok), conduct reconnaissance, then exfiltrate data or drop ransomware from partners like ALPHV/BlackCat, DragonForce, Qilin, and RansomHub.
Why Airlines and Transportation?
Scattered Spider tends to focus deeply on one industry at a time, probing systemic weaknesses—whether in casinos, retailers, insurers, or now aviation. Airlines offer rich opportunities:
-
Complex IT systems with global help desk operations.
-
High-stakes environments where disruption can force compliance.
-
Valuable data flows, from booking platforms to passenger personal info.
Their expanding footprint is alarming—critical infrastructure like airlines is no longer safe from breach attempts.
Who Backs Them?
Scattered Spider is financially motivated, not geopolitically sponsored. But their collaboration with Russian ransomware outfits like ALPHV/BlackCat and DragonForce shows a strategic alliance: they supply access, those groups deliver payloads
Despite arrests—several suspects charged in late 2023 and 2024—Scattered Spider remains active. Its decentralized nature means law enforcement heads may get cut off, but the group morphs and survives
How Can Businesses Protect Themselves?
This isn’t fear-mongering: the threat is real, but defenses exist. Experts emphasize layered strategy:
-
Strengthen human defenses
-
Train help desk teams to question unusual requests
-
Simulate social-engineering attempts regularly
-
-
Technical controls
-
Enforce MFA and detect rapid multi‑push MFA floods
-
Lock down remote-access solutions you don’t use daily
-
-
SIM and identity protection
-
Register numbers with carriers to block fraud
-
Monitor port requests and anomalies
-
-
Behavioral monitoring
-
Look for lateral movement in internal systems
-
Alert on unusual login timing, access from foreign IPs
-
-
Incident readiness
-
Ensure crisis plans are in place
-
Practice tabletop exercises involving social-engineering breach
-
Bottom Line
Scattered Spider is not just another ransomware crew—they are purveyors of trust breaches, using deception to slip through cracks in human and operational systems. Their pivot into airlines signals a major shift: critical infrastructure is vulnerable.
But defenses aren’t futile. Robust training, technical oversight, and simulated readiness can blunt their impact. Companies that combine vigilance with layered controls will be stronger than any criminal spider.