Nearly a year after airlines grounded flights due to the CrowdStrike global IT outage, airlines are facing cybersecurity threats from a cybercriminal
organization called Scattered Spider, according to the United States Federal Bureau of Investigation (FBI).
The agency posted a warning on Facebook Friday that it “recently observed” the group targeting the airline sector.
“These actors rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access,” the FBI said. “These techniques frequently involve methods to bypass multi-factor authentication (MFA), such
as convincing help desk services to add unauthorized MFA devices to compromised accounts.”
Scattered Spider is a group of hackers made up of young adults and teenagers that are primarily English-speaking, according to TechCrunch. The group is known for its deception strategies that are based on phishing and social engineering and sometimes involve violent threats directed at call centers and help desks.
Subscribe to our newsletter below
Airlines aren’t the only players that should be concerned: The FBI said the group targets large corporations in addition to third-party IT providers, indicating that any party in the airline ecosystem could be at risk, including vendors and
contractors.
Once Scattered Spider actors gain internal access, the group steals sensitive data and uses ransomware in order to foster an extortion.
The FBI said it is “actively working” with the air industry to address the situation and help victims.
“Early reporting allows the FBI to engage promptly, share intelligence across the industry, and prevent further compromise,” the agency said, advising organizations to contact their local FBI office in the event they've been targeted.
The FBI did not share which airlines have been targeted thus far, but multiple airlines have reported cybersecurity issues this month.
WestJet said it was dealing with a cybersecurity incident that occurred in mid-June,
and Hawaiian Airlines reported a cybersecurity event last week.
Axios cited a source familiar with the situation who said Scattered Spider was likely the entity
behind the WestJet situation. WestJet did not provide comment to Axios regarding the involvement of Scattered Spider.
Scattered Spider has targeted members of the travel industry in the past. In 2023, MGM Resorts International was attacked by the group around the same time other cybersecurity attacks were reported by casino operator Caesars Entertainment, according to reports from Reuters.
Some industry leaders have taken to LinkedIn to comment on the incident.
Paul Walsh, founder and CEO of MetaCert, a company that focuses on decentralized security, called the airline hacks referenced by the FBI "classic phishing attacks." According to Walsh, the entry point for hackers is social rather than an advanced technical scheme, resulting in employees,
partners and vendors being blamed, instead of the security companies contracted to protect them.
"Too often the burden is placed entirely on victims and employees to harden their defenses against phishing, even though these attacks specifically bypass the very security solutions airlines pay for," Walsh said in a follow-up email to PhocusWire. "Phishing
accounts for around 90% of all cyberattacks and has done so for many years. The fact that it remains so effective is not because people and companies are careless or that they need 'more' security, but because the security industry has failed to innovate
in ways that actually work."
When asked whether its airline customers are seeing more cyberattacks—and what preventive measures it is taking as a third-party vendor—travel software provider Sabre said it maintains a "proactive" cyber threat management program that monitors emerging threats.
"Our security program has strong controls as recommended by Google Cloud Mandiant and CISA to help prevent and detect cyber-attacks," Sabre said in an email to PhocusWire. "While our existing security controls are designed to prevent this emerging threat, our teams are aware of the heightened environment and taking extra precautions. Sabre will continue to collaborate with our partners and customers on these matters."
PhocusWire has reached out to various parties in the air industry. SITA and Amadeus declined to comment.
These threats come as new risks for other sectors such as hospitality have come to light. Some cyber criminal capabilities are likely rise of sophisticated scams putting the travel industry at higher risk.