Scattered Spider, the threat actor behind some of the most disruptive ransomware attacks in recent memory, is now targeting North America’s aviation sector. Security researchers from Google’s Mandiant have observed signs that this group—also tracked as UNC3944—is actively compromising airline and transportation networks. Hawaiian Airlines is suspected to be their first ransomware victim in this new wave of attacks.
“Mandiant is aware of multiple incidents in the airline and transportation sector which resemble the operations of UNC3944 or Scattered Spider,” said Charles Carmakal, CTO at Mandiant Consulting for Google Cloud.
From Retail to Runways: Scattered Spider’s Expanding Target List
Until recently, Scattered Spider’s focus was retail. High-profile attacks this year included UK-based retailers Marks & Spencer, Co-op, and Harrods. These incidents were reportedly executed in coordination with the DragonForce ransomware group. Prior to that, the group worked with ALPHV/BlackCat on the well-known ransomware incidents at MGM Resorts and Caesars Palace in Las Vegas.
Now, with multiple aviation-related attacks under investigation, the shift in focus appears deliberate. Scattered Spider is known for its methodical sector-based targeting and persistence.
Hawaiian Airlines Disruption Linked to Suspected Scattered Spider Activity
On June 13th, Hawaiian Airlines disclosed it had suffered a cyberattack that affected several IT systems. Though the airline confirmed that flights and customer services continued without disruption, it has since been working with authorities to restore operations and investigate the breach.
The incident fits a growing pattern. Canada’s WestJet also reported an IT incident around the same time, and security experts suspect both cases may be linked to the same threat group.
“Given the habit of this actor to focus on a single sector, we suggest that the industry take steps immediately to harden systems,” said Carmakal.
Source: Cybernews
Known Tactics: Social Engineering, MFA Bypass, and IT Desk Impersonation
Scattered Spider is widely known for using phishing-inspired social engineering to breach organizations. Their preferred method involves impersonating internal IT personnel, tricking employees into giving up credentials or enabling MFA resets.
“Organizations must train their help desk staff to enforce strong identity verification and deploy phishing-resistant MFA,” Carmakal added.
Mandiant reports that the group’s tactics, techniques, and procedures (TTPs) have remained consistent across multiple attacks—ranging from spear phishing to MFA fatigue and SIM swapping.
Aviation Sector Now a Prime Target
Airlines have become high-value targets due to their dual role in critical infrastructure and data collection.
“Airlines sit at the intersection of critical infrastructure and personal data, making them a high-value target,” noted Nick Tausek, Lead Security Automation Architect at Swimlane.
In 2024 alone:
- Japan Airlines experienced a cyberattack that disrupted over 40 flights.
- Rhysida ransomware group hit Seattle-Tacoma International Airport.
- Air Canada was targeted by BianLian ransomware.
- LockBit, ALPHV, and other groups attacked Boeing, Japan Aviation Electronics, Kenya Airways, and AerCap.
These incidents reflect a concerning rise in ransomware targeting the aviation industry.
Surge in Cyberattacks Indicates a Coordinated Campaign
Although Scattered Spider has not publicly claimed the Hawaiian Airlines or WestJet attacks, the tactics and timing suggest a coordinated campaign against airlines.
The FAA is reportedly monitoring the situation, though as of this writing, no formal attribution has been released.
“This surge in airline cyberattacks is a troubling trend, not a random set of events,” Tausek warned.
A Growing Need for Proactive Protection
The threat posed by Scattered Spider underscores the need for airlines and large enterprises to proactively harden their systems—especially those tied to identity verification, help desk workflows, and self-service password resets.
Systems lacking visibility or strong access controls remain vulnerable. Mandiant has issued a security hardening guide to help organizations defend against these tactics.
Enterprise organizations handling large volumes of sensitive data, particularly in regulated industries like aviation, need resilient and secure backup infrastructure that can withstand cyberattacks, including ransomware.
Looking for a trusted recovery solution?
Defend your organization with StoneFly DR365—an air-gapped, immutable backup and recovery appliance trusted by enterprises to ensure zero data loss even in the event of complex cyberattacks.
