The cybercriminal group known as Scattered Spider has expanded its operations, now targeting the aviation and transportation industries after earlier waves of attacks on retail and insurance organizations across North America and the United Kingdom.
A Strategic Shift in Scattered Spider’s Victim Profile
Scattered Spider, also known by aliases such as UNC3944, Muddled Libra, and Octo Tempest, has historically executed coordinated campaigns across a range of industries. Early high-profile targets included retailers like Marks & Spencer and Co-op, followed by insurance firms such as Aflac, Erie Insurance, and Philadelphia Insurance Companies.
Now, recent incidents suggest a calculated pivot toward disrupting aviation and transport services.
WestJet and Hawaiian Airlines Targeted in Recent Attacks
On June 12, Canadian airline WestJet confirmed it suffered a cyberattack that temporarily affected internal systems and its mobile app. While operations were restored, internal sources later disclosed that Scattered Spider had breached both WestJet’s data centers and its Microsoft Cloud environment.
According to reports, the attackers gained access by initiating a self-service password reset, allowing them to register their own multi-factor authentication (MFA) device and gain access through Citrix—a known remote access vector.
Shortly afterward, Hawaiian Airlines disclosed it too had been hit by a cybersecurity incident. Though the airline did not name the attacker, industry sources suggest Scattered Spider may also be behind this breach.
“Unit 42 has observed Muddled Libra (also known as Scattered Spider) targeting the aviation industry,”
— Sam Rubin, SVP of Consulting and Threat Intelligence, Palo Alto Networks
Rubin warned companies to brace for sophisticated social engineering attacks and suspicious MFA reset requests.
Growing Industry Concern and Confirmed Warnings
Mandiant’s Charles Carmakal added that airline and transport firms are now confirmed targets of the group.
“Scattered Spider has added North American airline and transportation organizations to their target list,”
— Charles Carmakal, Mandiant, Google Cloud
Carmakal also recommended immediate hardening of identity verification processes, particularly at help desks—common points of entry for these attackers.
Meanwhile, American Airlines is currently experiencing an IT outage, though it’s not yet clear if it is related to a cybersecurity incident.
How Scattered Spider Operates
Scattered Spider is a loosely connected network of English-speaking cybercriminals adept at identity-based attacks. Common methods include:
- Phishing and social engineering
- MFA fatigue and bombing
- SIM swapping
- Help desk impersonation
Their attacks are often real-time coordinated, using Telegram, Discord, and private forums to communicate. Though not a single gang, individuals associated with Scattered Spider often collaborate with ransomware groups like BlackCat, RansomHub, and DragonForce, elevating their threats beyond simple credential theft.
Some of their previously confirmed victims include:
- MGM Resorts
- Twilio
- Coinbase
- Caesars
- MailChimp
Why These Attacks Are Hard to Stop
Unlike traditional ransomware groups that rely on payload delivery, Scattered Spider uses identity infrastructure as its entry point—bypassing many detection systems. The abuse of self-service portals, help desk verification, and cloud environments like Microsoft Azure makes them especially difficult to isolate.
In response, Google Threat Intelligence Group (GTIG) and Palo Alto Networks have both published best-practice guidance on strengthening defenses. Organizations are urged to secure their identity and access management systems, especially MFA enrollment, password reset mechanisms, and user verification processes.
