The FBI has raised the alarm: the notorious cybercriminal group known as Scattered Spider also referred to as UNC3944 is now focusing its attacks on the U.S. aviation industry, according to agency warnings and cybersecurity analysts .
Formed in May 2022, this British-American hacking collective is infamous for its high-profile 2023 ransomware and extortion attacks on MGM Resorts and Caesars Entertainment. Renowned for its ruthless use of social engineering, the group frequently tricks IT help desks into registering unauthorized devices to bypass multi-factor authentication (MFA).
The FBI report highlights that the group is now targeting airlines and their associated IT ecosystems particularly third-party IT vendors and contractors to gain access, steal sensitive data, and deploy ransomware. Crucially, there’s no evidence to suggest these hacks have compromised flight safety or in-aircraft systems, but the potential for disruption to internal operations and passenger data is significant.
Cybersecurity firms Mandiant (a Google Cloud subsidiary) and Unit 42 (part of Palo Alto Networks) have independently confirmed multiple suspicious incidents within the aviation sector:
- Mandiant CTO Charles Carmakal urged businesses to improve help-desk identity verification, especially around MFA device registration and password resets, warning that “these methods…could be used by threat actors to perform self‑service password resets”.
- Unit 42’s Sam Rubin echoed this sentiment, advising organizations to stay vigilant for sophisticated social-engineering and suspicious MFA reset requests.
Several airlines have already reported cybersecurity “events” involving internal systems:
- WestJet confirmed an incident affecting its internal and app systems, although investigations are ongoing.
- Hawaiian Airlines acknowledged a similar breach, emphasizing that passenger travel remains unaffected.
- Southwest Airlines stated it has not experienced any security breaches.
While there’s no official attribution to Scattered Spider at this time, the nature and timing of these incidents are consistent with the group’s playbook.
Experts recommend urgent action focused on help desk procedures:
- Strengthen identity verification before approving MFA changes or password resets.
- Audit vendor and contractor access, ensuring only trusted parties can make account modifications.
- Monitor for abnormal MFA resets or device registrations.
These preventative measures could be critical in stopping social-engineering-based intrusions.
While travelers’ safety and in-flight systems remain untouched, the targeting of internal airline operations poses serious risks ranging from data theft and ransom demands to potential disruptions in check-in, ticketing, and ground operations. The FBI’s warning, backed by Mandiant and Unit 42, underlines the urgent need for airlines and their IT partners to fortify internal defenses especially around help-desk interactions.
