Scattered Spider Targets Aviation & Transport | Cybersecurity Alert
- The hacking group known as Scattered Spider is expanding its targets to include the aviation and insurance industries.
- On June 12,WestJet,Canada's second-largest airline,experienced a cyberattack that disrupted internal services and its mobile app.
- Scattered Spider reportedly gained access by exploiting a self-service password reset feature, allowing them to register their own multi-factor authentication (MFA) and remotely access the network through Citrix.
Scattered Spider, the notorious hacking group, is now setting its sights on the aviation and transportation industries. This cybersecurity alert details recent attacks on airlines like WestJet and Hawaiian Airlines, highlighting their tactics of social engineering and MFA exploitation. Understand how these cyberattacks work and the importance of robust security. Learn how they compromise systems via self-service password resets and MFA infrastructure. This poses a meaningful threat to all organizations. These sophisticated attacks demand immediate action, including tightening identity verification and securing critical management services. News Directory 3 is staying ahead of the curve, providing essential details. Discover what’s next in this evolving threat landscape.
Scattered spider hackers target Aviation, US Insurance Firms
The hacking group known as Scattered Spider is expanding its targets to include the aviation and insurance industries. recent incidents involve attacks on airlines such as WestJet and Hawaiian Airlines, as well as insurance companies including Aflac and Erie insurance.

On June 12,WestJet,Canada’s second-largest airline,experienced a cyberattack that disrupted internal services and its mobile app. Sources familiar with the matter told BleepingComputer that Palo Alto Networks and Microsoft assisted in responding to the incident. The attack is attributed to Scattered Spider, who allegedly compromised WestJet’s data centers and Microsoft cloud environment.
Scattered Spider reportedly gained access by exploiting a self-service password reset feature, allowing them to register their own multi-factor authentication (MFA) and remotely access the network through Citrix. While other threat actors use similar tactics, Scattered Spider is known for targeting help desks and password/MFA infrastructure.
Hawaiian Airlines also disclosed a cyberattack, though details remain limited. A source indicated to bleepingcomputer that the same threat actors are suspected. Sam Rubin, SVP of Consulting and threat Intelligence at Palo Alto Networks, confirmed on LinkedIn that Scattered Spider has begun targeting the aviation industry.
“Organizations should be on high alert for sophisticated and targeted social engineering attacks and suspicious MFA reset requests,” Rubin warned.
Charles Carmakal of Mandiant also noted the shift in focus to the aviation and transportation sectors. “We recommend that the industry immediately take steps to tighten up their help desk identity verification processes,” Carmakal posted on LinkedIn.
American Airlines is currently experiencing an IT outage, but it is unclear whether this is related to a security incident.
Who is Scattered Spider?
Scattered spider, also known as 0ktapus, UNC3944, Scatter Swine, Octo Tempest, and Muddled Libra, is a classification of threat actors known for using social engineering, phishing, MFA bombing, and SIM swapping to gain initial network access to large organizations. These actors are frequently enough young, English-speaking individuals who coordinate attacks through hacker forums, Telegram channels, and Discord servers.
Some are believed to be part of “Com,” a group known for financial fraud, cryptocurrency theft, data breaches, and extortion. While often referred to as a cohesive gang, “Scattered Spider” denotes threat actors using specific tactics. These tactics are also used by different individuals from a loose network, making them tough to track.
Unlike many other English-speaking threat actors, Scattered Spider has partnered with Russian-speaking ransomware gangs such as BlackCat, RansomHub, and dragonforce.
Other attacks linked to Scattered Spider include those on MGM, Marks & Spencer, Co-op, Twilio, Coinbase, Doordash, Caesars, MailChimp, Riot Games, and Reddit.
Experts advise organizations to gain complete visibility across their infrastructure, identity systems, and critical management services. Securing self-service password reset platforms and help desks is crucial.
Both Google Threat Intelligence Group (GTIG) and Palo Alto Networks have released guides on hardening defenses against Scattered Spider tactics.
