Inside Scattered Spider’s Web — and How to Escape It
Imagine you're at the gate, boarding pass in hand — and the app crashes. Behind the scenes, a group of teenage cybercriminals just exploited your airline’s help desk and rerouted sensitive systems.
This isn’t fiction. It’s happening right now.
A new wave of cyberattacks is sweeping through the airline industry — and at the center of it all is a threat actor that specializes in tricking humans, not just machines.
In the past month, Qantas, Hawaiian Airlines, and WestJet have all disclosed cyber incidents. Qantas reported that up to six million customers were affected — though no passport or payment data was compromised. Hawaiian Airlines revealed a disruption aligned with ransomware tactics, while WestJet disclosed an attack in early June that impacted mobile and online services.
In all cases, flight operations remained unaffected — but the message is clear: airlines are being targeted.
On June 28, the FBI issued a warning that the cybercriminal group known as Scattered Spider is actively targeting the airline industry. This group, composed primarily of English-speaking young adults from the U.S. and U.K., is known for its sophisticated social engineering tactics and collaboration with ransomware-as-a-service syndicates.
Who Is Scattered Spider?
Scattered Spider, also referred to as UNC3944, Starfraud or Muddled Libra, is a decentralized collective of cybercriminals that has gained notoriety for high-profile attacks across various sectors.
These advanced persistent teens operate less like a centralized gang and more like a movement — agile, collaborative, and hard to pin down.
Social Engineering: Impersonating employees or contractors to deceive IT help desks into granting unauthorized access.
Using MFA bombing and SIM-swapping to break through defenses that most assume are safe.
Advanced Phishing: Using attacker-in-the-middle (AITM) kits like Evilginx to hijack active login sessions by stealing authentication tokens.
Targeting Third-Party Providers: Exploiting vulnerabilities in third-party IT providers and call centers to infiltrate larger organizations.
Their recent activities have included attacks on major retailers like Marks & Spencer and Co-op in the U.K., resulting in significant financial losses, with some estimates putting their damage at more than $600 million.
Why Airlines? Why Now?
The airline industry presents an attractive target for cybercriminals due to its complex digital infrastructure, reliance on third-party vendors, and the high value of customer data. Scattered Spider's shift toward this sector coincides with the peak summer travel season, increasing the potential impact of their operations.
In the case of Qantas Airways, the breach involved vishing (voice phishing) —a tactic where cybercriminals impersonate employees to extract sensitive data. While no financial or passport information was accessed, compromised data included names, birthdates, emails, phone numbers, and frequent flyer numbers.
Mitigation Strategies
Defending against groups like Scattered Spider requires a multifaceted approach:
Strengthen Help Desk Protocols: Implement rigorous identity verification processes for access requests. Train help desk personnel to recognize and escalate suspicious activities.
Enhance MFA Security: Adopt stronger MFA methods, such as hardware tokens or biometric authentication, and monitor for unusual MFA requests.
Monitor Third-Party Access: Regularly review how outside vendors access your systems, make sure they follow strong security practices, and give them only the minimum access they need to do their job.
Promote a Security-First Culture: Encourage employees to report suspicious activities and support them in following security protocols, even under pressure.
Final Thoughts
Scattered Spider isn’t just breaking into systems — they’re breaking through people. They exploit stress, speed, and shallow training. That’s why security tools without a security mindset are just empty armor.
When Scattered Spider hits, it’s not just a security problem — it’s an operational crisis. Systems go dark. Customers lose trust. Front-line staff scramble without the tools they rely on. Even if planes keep flying, the cost of cleanup, forensics, and recovery is measured in weeks — and millions.
Scattered Spider has shattered the illusion that MFA alone is “phishing resistant.” While MFA stops brute-force attacks cold, it won’t stop a motivated attacker who targets your people and processes.
Don’t just patch systems or invest in another tool — transform your culture. Start with our new Security Culture Report: a practical roadmap to help motivate your people to become confident, capable defenders of your organization.
