Scattered Spider appears to pivot toward aviation sector

Hackers who appear to be part of the Scattered Spider cybercrime gang have launched attacks on airlines and potentially other industries after moving on from the retail and insurance industries, according to multiple threat researchers. 

The researchers’ warnings, which did not identify specific victims, come at a time of heightened concern about the safety and resilience of commercial aviation. Scattered Spider has been on a tear since April, targeting American and British retailers, and then insurers earlier this month.

“Mandiant is aware of multiple incidents in the airline and transportation sector which resemble the operations of UNC3944 or Scattered Spider,” Charles Carmakal, CTO at Mandiant Consulting-Google Cloud, said via email. 

Mandiant is still working on attribution and analysis, but Carmakal said the tactics, techniques and procedures are consistent with the group’s past attacks. 

Organizations can train help desk staff to use phishing-resistant multifactor authentication and robust identity-verification measures, Carmakal said. Scattered Spider has historically tricked help desk workers into resetting passwords or bypassing MFA safeguards. 

Researchers at Palo Alto Networks have also observed the same threat group, which it tracks as Muddled Libra, targeting the aviation sector. 

“Organizations should be on high alert for sophisticated and targeted social engineering attacks and suspicious MFA reset requests,” Sam Rubin, senior vice president of consulting and threat intelligence at the company, said via email.

Hawaiian Airlines hacked

The warnings follow an attack on Hawaiian Airlines, which the airline disclosed on Thursday. The attacks disrupted some of its IT systems, but the airline has not attributed it to any group.

Hawaiian Airlines said it continues to operate safely, and that it as notified authorities and is working with third-party experts to investigate the intrusion and restore regular network operations. 

Researchers at Halcyon confirmed on Friday that Scattered Spider had shifted towards the transportation sector, including aviation. The company warned that Scattered Spider is also targeting the food and manufacturing sectors. 

Cynthia Kaiser, senior vice president of Halcyon’s Ransomware Research Center, told Cybersecurity Dive that organizations should audit any use of remote management tools for signs of abuse. 

Researchers previously warned that the aviation and airline industries were at risk of hacks due to aging infrastructure and major cuts at their federal agency partners. 

The Cybersecurity and Infrastructure Security Agency, which works with the Transportation Security Administration to help protect U.S. airlines, did not respond to a request for comment. Federal Aviation Administration officials were not immediately available.