Rampant cybercrime gang launches attacks on US airlines

Who is Scattered Spider?

Scattered Spider is a cybercrime gang comprised mainly of teenagers and young adults from the U.S., UK, and other English‑speaking countries.

They’re known for using highly effective social engineering techniques, especially impersonating employees or contractors to deceive help desks and gain access to IT systems.

Once inside, they deploy ransomware or steal data for extortion. The group formed in mid‑2022 and first gained notoriety in 2023 after targeting casinos such as MGM and Caesars Entertainment.

In 2023, Caesars paid approximately US$15 million, half their initial $30 million demand, to recover systems.

Scattered Spider expands to airline industry

A known cybercrime group, Scattered Spider, has expanded its targets to US airlines. Previously involved in major corporate breaches, the group is now believed to be behind recent cybersecurity incidents at North American carriers.

Investigators say this group uses social engineering to gain internal access, often by impersonating employees or contractors.

This shift from attacking casinos and insurance companies to transportation marks a serious escalation, raising concerns about the vulnerability of critical infrastructure in the airline sector.

Airline systems disrupted in multiple incidents

Several airlines have recently reported disruptions to internal systems. WestJet and Hawaiian Airlines both confirmed cybersecurity incidents affecting non-flight operations. Around the same time, American Airlines experienced widespread outages, delaying and canceling hundreds of flights.

While not all airlines confirmed the cause, the timing suggests a potential pattern. Experts believe the incidents reflect increasing pressure from cybercriminal groups targeting operational IT systems, not just customer-facing services, prompting a broader reevaluation of aviation cybersecurity protocols.

Social engineering was the main entry point

Cybersecurity investigators say attackers used social engineering to break into airline systems. This tactic involves tricking support staff into handing over access credentials by pretending to be real employees.

Scattered Spider is particularly skilled at this method, often using phone calls and fake IDs to bypass security checks. Unlike technical hacks, this form of intrusion takes advantage of human error.

Airlines are now urged to retrain staff and limit access to sensitive systems through stricter verification.

No confirmed flight safety compromises so far

Despite the attacks, authorities have confirmed no threats to flight safety or air traffic control systems. The Federal Aviation Administration emphasized that core aviation operations remain secure and isolated from the affected networks.

However, some airlines did face delays and communication challenges due to IT disruptions. These incidents show that even if safety-critical systems are protected, administrative and operational breakdowns can still cause significant issues for passengers and staff.

FBI issues warning to airline sector

The FBI has formally warned airlines and transportation companies about the cybercrime gang’s evolving tactics. It called on aviation firms to bolster digital defenses, particularly at customer service and IT support points.

The agency also advised immediate reporting of suspicious login attempts or unusual activity. The FBI hopes to track group movements and prevent deeper system breaches by coordinating with airlines and security vendors. The alert marked one of the most urgent issues for the aviation sector this year.

Airline vendors may be weak links

Many airlines rely on third-party IT vendors, call centers, and software systems to manage bookings and internal tasks. Cybercriminals often exploit these partnerships to find a way into the leading network.

Security analysts say these third-party platforms are rarely as secure as airline-owned infrastructure. In some incidents, attackers bypassed strong airline protections by compromising a vendor. This highlights the growing need for airlines to audit their partners’ cybersecurity and limit third-party access privileges.

Qantas breach shows global trend

In a related case, Qantas Airways in Australia reported a breach involving six million customer records. Attackers gained access through a compromised third-party call center. While not confirmed to be the same group, the tactics closely match those used in the US airline incidents.

Investigators see this as evidence that global airline infrastructure is under increasing threat. It also underscores how cybercriminals are willing to exploit the weakest entry point, regardless of location or size.

Internal access was the main goal

Rather than targeting public-facing websites, the attackers focused on gaining internal system access. Security researchers say the group likely sought backend tools, employee dashboards, and sensitive internal communications.

This level of access can give cybercriminals control over flight schedules, ticketing, or data storage. Even if they don’t use it to disrupt flights directly, the value of that access can be leveraged for ransom or sold on dark web forums.

Airline employees targeted directly

Attackers reportedly impersonated real airline employees to fool IT support staff. This method, vishing or voice phishing, has become increasingly effective.

Using employee information obtained from social media or internal leaks, attackers create a believable scenario and gain unauthorized access.

This has put additional pressure on help desks and HR departments to verify identities more thoroughly. It also exposes the need for internal systems to detect unusual real-time access patterns.

Disruption linked to system outages

While not officially confirmed by airlines, some cybersecurity experts believe internal breaches caused recent operational outages. On June 27, American Airlines saw massive delays and system crashes.

Investigators still assess whether that event was linked to unauthorized access or a broader ransomware attack. These disruptions show how even non-malicious intrusions can spiral into large-scale logistical failures, especially when tied to complex, interconnected airline systems.

No ransom demands publicly reported yet

No public reports of ransom demands have been made to the affected airlines. In previous incidents involving the same gang, however, attackers often contacted victims later with demands after stealing sensitive files.

Authorities warn that similar extortion tactics could follow if the current intrusions involve data theft. Airlines have been advised to prepare for that possibility and develop communication plans if customer data becomes involved in any demands.

According to a Reuters report, Hawaiian Airlines was hit by a cyber attack with no public ransom demands.

White House briefed on growing threat

Given the involvement of multiple airlines and the critical nature of transportation infrastructure, federal authorities have briefed the White House on the threat. Cybersecurity officials work with private sector partners to understand the scope and provide defensive resources.

National security advisors also evaluate whether broader legislation is needed to protect transportation networks from cyberattacks. The situation is being treated with increased urgency due to the potential for widespread disruption.

Public trust in airline security tested

These incidents are testing public trust in the digital security of airlines. With customer information, bookings, and operations increasingly reliant on connected systems, passengers are rightfully concerned about managing their data.

Airlines now face the dual challenge of recovering from breaches while reassuring customers that their systems are secure. Industry experts say transparent communication and prompt security upgrades are essential to rebuilding confidence in the wake of these attacks.

Data theft is a growing concern

Although no major leaks have been confirmed, the risk of personal data theft is significant. Cybercriminal groups often extract data to pressure companies into paying ransoms. This could include customer information, payment details, and airline travel records.

Data loss can lead to identity theft, financial fraud, and regulatory penalties. Experts encourage passengers to monitor accounts, reset passwords, and enable two-factor authentication where available as a precaution.

Data theft risks keep rising, with 1.6 million affected in a massive insurance data breach, the threat feels closer than ever.

Industry urged to adopt zero-trust security

In response to the rising threat, cybersecurity professionals urge the aviation sector to adopt a zero-trust architecture. This model assumes no internal user or device is automatically trusted, even inside the network.

Access is constantly verified, limited, and monitored. This layered approach is critical, as attackers can bypass initial defenses through social engineering. Zero-trust could help prevent lateral movement across airline systems once any point is compromised.

As cyber threats grow more sophisticated, the industry must embrace zero-trust security, especially as China quietly admits role in cyber attacks.

What’s your take on zero-trust strategies in today’s cyber landscape? Drop your thoughts below!

Read More From This Brand:

• Cyber Scammers Upgrade Tactics with AI
• Shield Your Smartphone from Cyber Threats
• 19 Cybersecurity Tools Every Business Should Have

Don’t forget to follow us for more exclusive content on MSN.

If you liked this story, you’ll LOVE our FREE emails. Join today and be the first to get stories like this one.

This slideshow was made with AI assistance and human editing.