Full Report
The Federal Bureau of Investigation (FBI) said that it has recently observed the cybercriminal group Scattered Spider expanding... The post FBI raises alarm over Scattered Spider targeting airline sector with social engineering schemes appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: Scattered Spider
## Attribution & Identity
The threat actor is identified as the cybercriminal group Scattered Spider.
Known aliases include: UNC3944 (mentioned by Mandiant) and Muddled Libra (mentioned by Unit 42).
This loosely connected collective has been active since at least 2021, with profiles also noting activity since 2022.
## Activity Summary
Scattered Spider has recently expanded its targeting to the airline sector. They target large corporations and their third-party IT providers. The group is known for focusing on specific sectors for a few weeks before expanding. Recent confirmed victims in the aviation industry include Hawaiian Airlines and Canada’s WestJet, who are currently assessing cyberattack fallout dating back to mid-June 2025. Historical sectors targeted include healthcare and commercial facilities.
## Tactics, Techniques & Procedures
- **Social Engineering:** Rely heavily on sophisticated social engineering, often impersonating employees or contractors. Methods include voice phishing and AI-generated voice spoofing to deceive IT help desks.
- **MFA Bypass:** Convincing help desk services to add unauthorized MFA devices to compromised accounts or bypass existing MFA controls, often by resetting passwords or gaining access to employee information (like IDs).
- **Initial Compromise:** Deception against IT help desks to gain initial network access.
- **Post-Exploitation:** Rapid privilege escalation, disabling recovery systems, exfiltration of sensitive data, and deployment of ransomware. Actions can occur rapidly, sometimes within hours of breach.
- **Tooling:** Use of legitimate tools, malware, and ransomware variants.
- **Ransomware Deployment:** Known to deploy BlackCat/ALPHV ransomware, in addition to general ransomware deployment for extortion.
## Targeting
- **Sectors:** Airline/Aviation (recent focus), Healthcare, Commercial Facilities, and associated third-party IT providers/vendors.
- **Geography:** Targeting large corporations generally, with specific victims mentioned in the US (Hawaiian Airlines) and Canada (WestJet).
- **Victims:** Hawaiian Airlines, WestJet.
## Tools & Infrastructure
- **Malware families used:** BlackCat/ALPHV ransomware variants utilized post-compromise.
- **Infrastructure (C2, domains, IPs):** No specific IP addresses or C2 domains were provided in the article.
## Implications
Scattered Spider presents a significant human-centric risk due to its reliance on highly realistic social engineering, making it effective even against trained staff. Their operational speed—breaching, establishing persistence, data exfiltration, and deploying ransomware rapidly—poses an immediate threat to business continuity and data integrity across targeted sectors. Their focus on IT help desks highlights weak points in identity and access management workflows.
## Mitigations
- **Harden Help Desk Verification:** Immediately tighten identity verification processes for help desk staff, especially prior to adding new phone numbers to accounts, resetting passwords, or adding MFA devices.
- **MFA Security:** Review procedures for adding or modifying MFA devices, as this appears to be a key vulnerability exploited.
- **Employee Training:** Conduct thorough training for employees and support staff on recognizing and resisting sophisticated social engineering and deception tactics.
- **Review External Guidance:** Organizations should review hardening guidance published by security vendors (like Mandiant) specific to defending against Scattered Spider TTPs.
- **Incident Response:** Organizations suspecting targeting should promptly contact law enforcement (FBI).