Eight-legged Business Class Seats

The cybercriminal syndicate Scattered Spider has widened its operational horizon, now taking aim at the airline industry. The FBI has confirmed that the group is actively targeting aviation entities using highly refined social engineering strategies. Recent intrusions into Hawaiian Airlines and WestJet signal that the skies are no longer off-limits. Though the affected companies have not attributed the breaches to any specific actor, the techniques used—impersonation, help desk manipulation, and multi-factor authentication (MFA) evasion—align with the known playbook of Scattered Spider.

This evolving threat has mobilized federal authorities and incident response units to collaborate closely with airlines and vendors, aiming to stem the tide before these attacks escalate further. As cybercriminals shift from brute force to behavioral deception, the importance of identity validation rises to a critical priority.

From tarmac to terminals

The group’s targets are not limited to systems—they’re people. Executives, IT administrators, internal support staff, and even flight crews have been impersonated or manipulated in attacks. Scattered Spider’s strategy hinges on human error within identity workflows. By exploiting urgency, authority, and familiarity, the attackers convince help desk agents to provision unauthorized MFA devices, reset privileged credentials, or reveal internal data.

Their victim profile prioritizes users with expansive privileges: those who control VPN gateways, cloud consoles, identity management services, or vaults holding credentials. Such accounts offer direct access to operational infrastructure and sensitive data—making them ideal for deep compromise and lateral movement.

MFA seatbelt sign off, data out

The attackers’ entry vector typically begins with voice phishing—posing as legitimate employees in urgent scenarios. By leveraging public breach data, social media intelligence, and insider knowledge, they build highly credible personas. Once trust is established, they manipulate help desk staff into bypassing MFA controls or enrolling new authentication devices.

With this foothold, Scattered Spider pivots to technical escalation. They access VPNs and virtual desktop environments, enumerate privileged accounts in Entra ID, and move through internal systems such as SharePoint and VMware. During a recent breach described by ReliaQuest, the group used credentials of a chief financial officer to access administrative consoles, reinstate decommissioned virtual machines, extract NTDS.dit password databases, and compromise a CyberArk vault containing over 1,400 secrets.

Exfiltrated data includes identity records, admin credentials, sensitive business files, and proof-of-access material. In some cases, the attackers disabled Azure firewall rules and domain controllers, prioritizing sabotage over stealth once detection was imminent. A tug-of-war ensued between the attackers and incident responders for control of administrative roles—requiring Microsoft’s direct intervention to restore order.

Spiders grounded

The Scattered Spider campaign highlights how fragile identity trust chains can be when workflows rely too heavily on human judgment. To reduce the risk of similar breaches, organizations—especially in critical infrastructure sectors—should:

• Restrict self-service MFA enrollment and reset options for privileged accounts.

• Require identity verification across multiple independent data sources, not just directory records.

• Enforce least privilege by reducing the number of high-access accounts and roles.

• Audit identity-related events in real time, focusing on device enrollments, reset requests, and privilege escalations.

• Train help desk personnel to recognize social engineering techniques through simulation and red teaming.

• Implement additional out-of-band verification methods for high-risk support actions.

• Establish formal incident escalation paths for unusual or high-urgency requests.

Scattered Spider’s assault on airlines shows how hybrid threats can seamlessly merge technical sophistication with psychological manipulation. These attacks are not just about breaching networks—they’re about breaching trust. As long as identity verification remains the weakest link, no amount of technical control will suffice. For the aviation industry and beyond, safeguarding identity workflows is no longer optional—it’s foundational.

https://amp.cnn.com/cnn/2025/06/28/business/cyberattacks-airlines-fbi-criminal-group