UNC3944 (Scattered Spider) Targets Airlines & Retail in Social-Engineering-Driven Ransomware Campaign
UNC3944 (Scattered Spider), an advanced persistent threat group, has been linked to a recent cyberattack on Airlines, Retail, Transportation, Cloud/Tech. The incident leveraged Social engineering, help‑desk impersonation, SIM‑swap, MFA fatigue, AiTM phishing kits, ransomware via VMware ESXi/DragonForce to gain access, steal data, and evade detection. In this article, we examine who was responsible, how the attack unfolded, when it occurred, and what security leaders can do to avoid similar risks. We’ll also explore where Obsidian Security’s capabilities align with prevention and response.
Who is UNC3944 (Scattered Spider)?
UNC3944, known as Scattered Spider, is a cybercriminal group that uses advanced social engineering techniques such as SIM swaps, MFA fatigue, and help desk impersonation to breach airlines, retailers, transportation, and technology companies. They often pivot from credential theft to ransomware deployment on VMware ESXi environments after gaining initial access.
What Happened?
The Scattered Spider cybercriminal group has breached major airlines, namely Hawaiian Airlines, Canada’s WestJet, and and most recently, Qantas. This comes after focused attacks on UK retailers Marks & Spencer, Co-op, and Harrods. During these attacks, the threat actor group stole credentials and deployed ransomware via help-desk compromise.
How Did The Attack Work?
Scattered Spider attacks typically begin with targeted social engineering, where threat actors impersonate employees or IT help desk staff. Using phone calls, SMS, or messaging apps, they trick or manipulate victims into granting them access, often deploying tactics like MFA fatigue (repeated authentication requests) and SIM swapping to intercept one-time codes. Once initial access is achieved—usually by convincing help desks to reset passwords or MFA tokens—the attackers rapidly escalate privileges, moving laterally across the organization's environment.
Common follow-on actions include credential harvesting, exfiltration of sensitive data, and deployment of ransomware for double extortion, often targeting high-value accounts like system administrators or exploiting managed service providers to access multiple organizations. Throughout the attack, Scattered Spider is highly adaptive, frequently using "living-off-the-land" techniques (abusing built-in tools to evade detection) and exploiting trust relationships within support teams and business processes.
Why It Matters
Cyberattacks like these not only result in the theft of PII, but bring down critical operations. In the case of Marks & Spencer, online shopping was down for over a month, resulting in losses of $80 million in profit and $1.3 billion in stock market value. Taking a step back, attacks like these show that SaaS vendors cannot prevent data loss alone. Recent examples demonstrate new cloud challenges wehere SaaS apps are unable to prevent data loss from unauthorized access. These applications are hosted elsewhere, rather than on-premises or in private cloud centers. Attackers need to trick one human, or compromise one non-human identity lacking advanced authentication, to bring businesses to a halt with devastating consequences.
How to Defend Against UNC3944 (Scattered Spider) - Style Attacks
To defend against threats similar to those used by UNC3944 (Scattered Spider), security leaders should adopt the following practices:
- Help Desk & Identity Verification Policies
Implement formal policies and procedures for password resets and MFA changes, including mandatory secondary identity verification to prevent help desk abuse. - Security Awareness Training
Train employees to recognize and respond to help desk social engineering, phishing, vishing, and MFA fatigue attempts. - MFA Hardening
Restrict the use of SMS, phone, and email-based MFA. Enforce phishing-resistant MFA such as FIDO2, certificate-based, or passwordless authentication. - Endpoint & Zero Trust Controls
Ensure all employee workstations and company servers are protected by modern EDR and zero-trust access controls to block lateral movement.
Where Obsidian Security Can Help
Obsidian’s Browser Extension automatically blocks phishing and spear-phishing attacks in the browser. ITDR alerts on Scattered Spider TTPs such as MFA changes, shared MFA devices, anomalous infrastructure changes, suspicious RDP activity, and malicious OAuth consent grants. Device validation confirms the authenticity of users before authentication completes.
Conclusion
UNC3944 (Scattered Spider)’s recent campaign underscores the need for layered security and SaaS-native threat detection. Organizations should combine user education, identity threat protection, and SaaS configuration hardening to minimize risk. Obsidian’s continuous monitoring and context-aware alerts help defenders identify and respond to threats before damage is done.
