Scattered Spider Exposes Sector’s Soft Underbelly

• In summer 2025, airlines including WestJet, Hawaiian Airlines, and Qantas experienced cyberattacks, likely linked to the Scattered Spider group, exploiting help desks, social engineering, and MFA fatigue to gain rapid access to sensitive data and deploy ransomware.
• Aviation’s digitalisation, reliance on third-party providers, and high-value operational data have expanded the attack surface, making identity compromise, phishing, and vendor system vulnerabilities key risk vectors for both passenger and cargo operations.
• Industry experts emphasise proactive measures, including robust identity verification, just-in-time admin access, auditing of vendor systems, and strategic cybersecurity planning, framing cyber threats as operational risks equivalent to weather or fuel challenges.

A summer of cyberattacks should have been a wake-up call. For many in the aviation and air cargo sectors, the alarm is still ringing.

In the early summer of 2025, multiple airlines — including WestJet, Hawaiian Airlines, and Qantas — reported cybersecurity incidents that disrupted services and raised concerns across the sector. While formal attribution remains tentative, the tactics mirrored those used by Scattered Spider, a threat actor known for sophisticated social engineering and ransomware deployment.

“The hallmarks were there,” said Lawrence Baker, Technical Security Consultant and Aerospace Lead at NCC Group.

“It’s help desks, again and again. This group knows how to sound legitimate, create urgency, and trick their way past frontline defences.”

The timing wasn’t accidental. With aviation in its summer peak, attackers struck when systems and staff were stretched — and when disruptions would hurt the most.

“It was a prime time to tap these organisations,” Baker noted. “That urgency creates leverage, especially in ransomware cases.”

Scattered Spider is not new. Active since at least 2022 and also known under aliases such as Octo Tempest and UNC3944, the group typically floods a sector with attacks before shifting to another. Retail was first, followed by insurance. By mid-2025, aviation became the next target.

According to NCC Group’s July report, aviation’s appeal lies in its high-value data, operational complexity, and interdependence on third-party providers. From passenger records to crew scheduling, the volume of sensitive information makes the sector ripe for extortion.

“The evolution of threats reflects the evolution of aviation itself,” said Baker. “Where once it was hijacking or smuggling, now it’s identity compromise and MFA fatigue.”

Indeed, the industry’s rapid digitalisation — fuelled by post-COVID recovery and e-commerce surges — has widened the attack surface. Help desk impersonation, weak multi-factor authentication protocols, and remote access vulnerabilities have become common entry points.

“What they may do is look at LinkedIn or other online sources to identify high-profile targets within airlines, such as chief financial officers, for example, and then impersonate that person.

They may contact a third-party IT service provider’s help desk and ask for the account to be reset, pretending to be that person.”

Even basic controls are often bypassed through psychological pressure. “Through that kind of sense of urgency and pressure, they can just convince the help desk staff to then just reset the account anyway.”

Inside the attack chain

Scattered Spider’s method is not brute force — it relies on behavioural exploitation. The group depends on research, patience, and subtle manipulation.

They start by profiling targets through LinkedIn or open sources. From there, phishing emails, fake login pages, and domain impersonation are deployed. Once inside, attackers use tools like AnyDesk or LogMeIn to move laterally, access sensitive data, and escalate privileges.

“They exploit repeated multi-factor authentication prompts, causing MFA fatigue.”

The result is swift. “The group has breached organisations, established persistent access, exfiltrated data, and detonated ransomware within a matter of hours.”

Qantas, for instance, confirmed unauthorised access to its call centre platform, exposing personal data of over six million passengers. Hawaiian Airlines reported a non-critical IT incident. WestJet’s mobile app was briefly disabled. While few operational disruptions were publicised, the real damage — data exposure, trust erosion, regulatory risk — will take longer to surface.

Third-party vendors were also likely vectors. The heavy outsourcing of IT and ground systems in air logistics makes supply chain compromise a real concern.

Despite years of cybersecurity briefings, most aviation firms remain underprepared for attacks like this.

“Acting quickly is key,” Baker said. “Having those provisions in place in advance is absolutely fundamental.”

The weakest point is often the help desk, where identity verification is rushed or poorly enforced. Many organisations lack phishing-resistant MFA, fail to audit dormant accounts, and have no contractual arrangements with external incident response teams.

Proactive monitoring is also lacking. Few teams are equipped to detect subtle indicators — such as remote access tools quietly activating, MFA reassignments, or password resets from unrecognised geographies.

NCC Group’s recommendations include identity verification via live video with ID, just-in-time access controls for admin accounts, and rigorous audit trails for vendor systems. Still, Baker says, the deeper fix is strategic.

“You’re not going to fix this overnight,” Baker said. “It’s about putting in place a plan you can execute over time.”

For the air cargo industry, the message is clear: cybersecurity is no longer an IT problem. It’s an operational risk — as real and immediate as weather, fuel, or customs.

The post Scattered Spider Exposes Sector’s Soft Underbelly appeared first on Air Cargo Week.