Saturday, June 28, 2025
Linux and Devops

Scattered Spider cyber gang turns fire on aviation sector

by Wire Tech

Scattered Spider cyber gang turns fire on aviation sector

Multiple reports are emerging of cyber attacks on airlines – Google Cloud’s Mandiant believes them to be linked.

Scattered Spider, the teenaged hacking collective behind recent cyber attacks on UK retailers Marks and Spencer (M&S) and Co-op, appears to be actively breaching targets in the airline sector, with multiple victims now observed, according to new intelligence shared by Google Cloud’s Mandiant threat analysts immediately prior to the weekend of 28-29 June.

Having made national headlines in the UK earlier with its audacious attacks on two of Britain’s most recognisable High Street brands – the effects of which continue to linger – Scattered Spider then turned its attention to retailers in the United States before beginning to target insurance providers as well.

Should Mandiant’s latest intelligence prove accurate, it would represent a clear escalation in Scattered Spider’s activity, and lends further weight to the theory that it has successfully compromised one or more third-party IT suppliers.

Trending
Instagram Experiments With New Stickers To Facilitate Holiday Season Engagement

“Mandiant is aware of multiple incidents in the airline and transportation sector which resemble the operations of UNC3944 or Scattered Spider,” said Charles Carmakal, chief technology officer at Mandiant Consulting.

“We are still working on attribution and analysis but given the habit of this actor to focus on a single sector we suggest that the industry take steps immediately to harden systems.

“The actor's core tactics, techniques, and procedures have remained consistent. This means that organisations can take proactive steps like training their help desk staff to enforce robust identity verification processes and deploying phishing-resistant MFA to defend against these intrusions. Additional advice can be found in our previous hardening guide,” said Carmakal.

Although Mandiant’s team did not name any victims itself, on 26 June Hawaiian Airlines in the US has reported disruption to its systems following a security incident. Meanwhile Canadian operator WestJet is also embroiled in the aftermath of a cyber attack that began on Friday 13 June and has disrupted access to its mobile app and website.

In a statement, Hawaiian Airlines said: “Hawaiian Airlines is addressing a cyber security event that has affected some of our IT systems. Our highest priority is the safety and security of our guests and employees. We have taken steps to safeguard our operations, and our flights are operating safely and as scheduled.

“Upon learning of this incident, we engaged the appropriate authorities and experts to assist in our investigation and remediation efforts. We are currently working toward an orderly restoration and will provide updates as more information is available.”

In its most recent update, issued on 18 June, WestJet said it was making good progress on safeguarding its digital environments.

“As soon as a cyber security incident was identified, we took immediate action, including but not limited to, launching an investigation, engaging world class third-party cyber security experts and forensic specialists, and notifying our people and guests of our ongoing efforts,” a spokesperson said.

“We are working as quickly as possible to assess any potential data in scope. Our investigations are ongoing, and we will provide updates as appropriate in the future. We have engaged with law enforcement and are complying with our regulatory obligations in the meantime. The protection of our data is of utmost importance to us and we thank all of our guests for their continued patience at this time.”

Neither Hawaiian Airlines nor WestJet has yet reached any stage of their investigations where naming the threat actor responsible for the intrusion is possible, or indeed advisable. No link to Scattered Spider has been confirmed.

Computer Weekly has also learned of a third ongoing IT incident affecting American Airlines, where passengers are reporting their flights are being impacted by systemwide outages.

According to discussions on the airline’s subreddit, the incident has left pilots unable to file flight plans, and gate agents left to manually board departing planes, resulting in flight delays.

American Airlines has been contacted for comment.

We’re not going on a summer holiday

With air travel in Europe and North America hitting its peak during the summer, the aviation sector is – as was ever the case – experiencing intense pressure to maintain seamless services throughout, something that cyber criminals are known to exploit.

The sector is already a high-value target for cyber criminals because it holds vast amounts of highly-valuable personal data, such as credit card details, home addresses, and passport numbers.

“Increasingly, the primary goal of cyber attacks is not just to access systems but to use sensitive or personal data as leverage for extortion attempts, or sold on the dark web for further criminal activity, such as phishing and identity fraud,” said Darren Williams, CEO and founder of BlackFog, an anti-ransomware and data protection platform.

“With incidents like this one highlighting how threat actors are actively and deliberately targeting airlines, operators must remain vigilant, investing in robust defences that safeguard customer data, protect operations, and customer trust,” he said.

Timeline: Scattered Spider attacks in 2025

  • 22 April 2025: A cyber attack at M&S has caused significant disruption to customers, leaving them unable to make contactless payments or use click-and-collect services.
  • 24 April: M&S is still unable to provide contactless payment or click-and-collect services amid a cyber attack that it says has forced it to move a number of processes offline to safeguard its customers, staff and business.
  • 25 April: M&S shuts down online sales as it works to contain and mitigate a severe cyber attack on its systems.
  • 29 April: The infamous Scattered Spider hacking collective may have been behind the ongoing cyber attack on M&S that has crippled systems at the retailer and left its ecommerce operation in disarray.
  • 30 April: A developing cyber incident at Co-op has forced the retailer to pull the plug on some of its IT systems as it works to contain the attack.
  • 1 May: Co-op tells staff to stop using their VPNs and be wary that their communications channels may be being monitored, as a cyber attack on the organisation continues to develop.
  • 1 May: Harrods confirms it is the latest UK retailer to experience a cyber attack, shutting off a number of systems in an attempt to lessen the impact.
  • 2 May: The National Cyber Security Centre confirms it is providing assistance to M&S, Co-op and Harrods as concerns grow among UK retailers.
  • 7 May: No end is yet in sight for UK retailers subjected to apparent ransomware attacks.
  • 13 May: M&S is instructing all of its customers to change their account passwords after a significant amount of data was stolen in a DragonForce ransomware attack.
  • 14 May: Google’s threat intel analysts are aware of a number of in-progress cyber attacks against US retailers linked to the same Scattered Spider gang that supposedly attacked M&S and Co-op in the UK.
  • 20 May: Cold chain services provider Peter Green Chilled, which supplies the likes of Aldi, Sainsbury’s and Tesco, has been forced to halt operations after succumbing to a ransomware attack.
  • 11 June: So-called Black Swan events expose the blind spots in even the most sophisticated forecasting models, signaling a need to rethink how businesses, and those investing in them, quantify and prepare for cyber risk.
  • 13 June: The recent spate of cyber attacks on UK retailers has to be a wake-up call to build more cyber resilience into digital supply chains and fortify against social engineering attacks.
  • 17 June: Following a series of high-profile attacks on prominent retailers and consumer brands, the Scattered Spider cyber crime collective appears to be expanding its targeting to the insurance sector.
  • 20 June: The UK’s Cyber Monitoring Centre has published its first in-depth assessment of a major incident, reflecting on the impact of and lessons learned from Scattered Spider attacks on M&S and Co-op.

Originally published at ECT News

You may also like

Fujitsu’s grip on HMRC loosening but bags of taxpayer cash still to...

Seven main suspects under police investigation in national Post Office probe

Sky ECC distributor released from French custody pending trial

Pure CTO drills down on key-value, no DFMs on FA//ST, and fast...

Latest Citrix vulnerability could be every bit as bad as Citrix Bleed

Wrongly convicted subpostmasters may have to wait another year for redress

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

Unlock the Power of Technology with Tech-Wire: The Ultimate Resource for Computing, Cybersecurity, and Mobile Technology Insights

  • Mumbai, India
  • Email: info@tech-wire.in

Recent Posts

Over 1,000 SOHO Devices Hacked in China-linked LapDogs Cyber Espionage...
AI And Inclusion: Bias In, Bias Out?
Business Case for Agentic AI SOC Analysts

Userful Links

Our Policies

POPULAR CATEGORIES

Copyright @2023 All Right Reserved 

Facebook Twitter Instagram Linkedin Rss
@2021 - All Right Reserved. Designed and Developed by PenciDesign