The infamous Scattered Spider ransomware gang is setting its sights on North American airline carriers, security researchers said on Friday, making Hawaiian Airlines – which on Thursday was knocked offline in a reported cyberattack – likely its first victim.
-
Mandiant says the Scattered Spider ransomware group has turned its focus on the North American avation sector.
-
Hawaiian Airlines announced it was hit by a cyberattack on Thursday, possible becoming the group's first ransomware victim.
-
Airlines and transportation sector organztiaons are urged to proactively beef up security controls to defend against such attacks.
It appears that Scattered Spider, also known in the security world as UNC3944, has been observed targeting North American airlines and the transportation industry as a whole, according to new threat intelligence from Google’s Mandiant.
"Mandiant is aware of multiple incidents in the airline and transportation sector which resemble the operations of UNC3944 or Scattered Spider,” Charles Carmakal, CTO at Mandiant Consulting for Google Cloud, told Cybernews on Friday.
And although Mandiant is “still working on attribution and analysis,” the CTO stresses that “given the habit of this actor to focus on a single sector, we suggest that the industry take steps immediately to harden systems.”
Scattered Spider is best known for its sophisticated phishing-inspired ransomware attacks on the UK retail sector this spring, allegedly responsible for hitting several big names, including Marks & Spencer, Co-Op, and Harrods, in a coordinated effort with the DragonForce ransomware group.
The English-speaking threat actor is also known for working with the now-defunct ALPHV/BlackCat ransomware group to carry out the widely publicized attacks on the MGM Resorts International and Caesars Palace in Las Vegas back in 2023.
The ransomware group’s “core tactics, techniques, and procedures have remained consistent,” Carmakal explains.
Scattered Spider will typically breach its target by posing as IT help desk workers, tricking unsuspecting employees into handing over their login credentials.
Carmakal recommends that organizations take “proactive steps like training their help desk staff to enforce robust identity verification processes and deploying phishing-resistant MFA to defend against these intrusions.
Latest ransomware attacks signal more to come
If Carmakal and his team are correct, it could mean that Scattered Spider’s first ransomware victim in the North American transportation sector is none other than Hawaiian Airlines. Tausek also points to the ongoing June 13th attack on Canada’s second-largest airline, WestJet, as a potential first victim.
The Honolulu-based airline on Thursday announced it was grappling with a “cybersecurity event that has affected some of our IT systems,” and has called in authorities to help investigate and restore network access.
In a statement sent to Cybernews, the carrier did say that its “full flight schedule and guest travel” was not impacted, and it has since taken further precautions to “safeguard its operations.”
The US Federal Aviation Administration said on Thursday it was monitoring the situation, but as of Friday afternoon, both the FAA and Hawaiian Airlines have not provided any new updates.
"Troubling Trend"
“The surge in cyberattacks against airlines points to a troubling trend, not a random string of incidents,” says Nick Tausek, Lead Security Automation Architect at Swimlane.
“Airlines sit at the intersection of critical infrastructure and personal data, making them a high-value target for cybercriminals and nation-state actors alike,” Tausek explains.
Besides the attack on WestJet, which disrupted the airline's IT systems and made its app inaccessible, Tausek notes the December 2024 cyberattack on the Tokyo-based Japan Airlines (JAL), which also halted over 40 flights at its peak.
As we continue work to determine the extent and overall impact of the cybersecurity incident, some guests may temporarily encounter intermittent interruptions or errors while using the WestJet app and/or https://t.co/4hVwDg2RbA and we are working to resolve these issues.
undefined WestJet News (@WestJetNews) June 15, 2025
Although Scattered Spider has not come forward to claim the recent WestJet or Hawaiian Airlines attacks, the aviation industry has seen an uptick in ransomware attacks since 2023.
Airlines store an” extensive amount of sensitive information” coveted by cybercriminals, including “passenger information, payment data, and flight operations details,” he says.
Tuasek explains that personally identifiable information (PII) can be used for various nefarious purposes, from identity theft and targeted spear phishing attacks to widespread operational disruptions.
In 2024, the Seattle-Tacoma International Airport was hit by the Rhysida ransomware gang in a massive cyberattack that lasted more than a month. Air Canada was also claimed by the Bian Lian ransomware group that year.
Other victims included Boeing by the LockBit gang, Japan Aviation Electronics by ALPHV/BlackCat, Africa's Kenya Airways, and the global aviation leasing giant AerCap.
“If attackers are turning their sights on airlines, organizations must proactively establish strong defensive measures to reduce the impact of these attacks beforehand, rather than trying to play cleanup after the fact,” Tausek said.
Mandiant has released a hardening guide to help organizations defend against Scattered Spider attacks. You can check it out here.
Your email address will not be published. Required fields are markedmarked