Scattered Spider Now Targeting Airlines and Transportation, FBI Warns of Imminent Data Theft
Known for advanced phishing and social engineering tactics, the group previously hit casinos, insurers, and UK retailers. These attacks pose serious risks to operations and data, often exploiting human vulnerabilities and compromised credentials.
What Happened: The Scattered Spider cybercriminal group is now targeting major airlines and the transportation industry. The FBI issued an official warning following three cyberattacks, against Hawaiian Airlines, Canada’s WestJet, and and most recently, Qantas. They warn that Scattered Spider may continue to target other organizations directly, or breach third-parties in the supply chain to gain initial access.
Key Facts to Know About Scattered Spider:
Scattered Spider often targets one industry at a time: The group first gained public attention in late 2023, following multimillion-dollar hacks on Las Vegas casinos. They then focused on US-based insurance firms including industry giant Aflac. Prior to targeting airlines, Scattered Spider had executed campaigns against UK retailers, including Marks & Spencer.
Scattered Spider employs advanced phishing and social engineering techniques to infiltrate organizational networks. One of their most effective methods involves manipulating IT support personnel by posing as employees or customers (also called help desk social engineering)
Why This Matters:
Cyberattacks like these not only result in the theft of PII, but bring down critical operations. In the case of Marks & Spencer, online shopping was down for over a month, resulting in losses of $80 million in profit and $1.3 billion in stock market value
Taking a Step Back:
SaaS vendors cannot prevent data loss alone: Recent examples demonstrate new cloud challenges where SaaS apps are unable to prevent data loss from unauthorized access (such as credential compromise). These applications are hosted elsewhere, rather than on-premises or in private cloud data centers. Attackers need to trick one human, or compromise one non-human identity lacking advanced authentication, to bring businesses to a halt with devastating consequences.
Credential attacks are the norm: Scattered Spider is just one of many diverse cybercriminal groups across the world. Despite differences in geography, motivation, or sophistication, these groups all overwhelmingly aim to compromise credentials. They utilize tactics such as phishing, SIM swapping, MFA push fatigue, social engineering, and AiTM kits to gain unauthorized access to internal systems.
Cyberattacks target humans as the weakest link: The 2025 Verizon DBIR report finds that 68% of breaches involve the human element. Whether through manipulation or fatigue, attackers take advantage of human behavior (and mistakes) to bypass technical controls. Social engineering techniques remain some of the most successful and low-cost methods for initial access.
How to Defend Against Scattered Spider:
General Strategies:
Implement formal policies and procedures in place for password resets and MFA changes, including extra identity verification
Train employees on how to recognize and respond to help desk social engineering and phishing threats
Implement strong multifactor authentication by restricting the usage of text, phone, and email-based methods and enforcing the usage of FIDO2, certificate-based, and passwordless authentication.
Ensure all employee workstations and company servers are protected by EDR and zero-trust controls.
For Obsidian Customers:
Protect employees against phishing and spearphishing threats by using Obsidian's Browser Extension to automatically block attacks in the browser
Clarify legitimate vs illegitimate users by confirming the browser that is authenticating
Monitor the ITDR module for alerts related to Scattered Spider's known TTPs, such as:
