The notorious cybercrime group, known as Scattered Spider, is shifting its focus. According to warnings issued in late June, the group has begun targeting North American airline and transportation companies.
The alerts come from both federal authorities and private sector threat intelligence teams.
The FBI confirmed this in a public advisory. The group’s method is familiar: social engineering. Impersonation. Manipulating help desk staff into resetting passwords, enrolling new multi-factor authentication (MFA) devices, or disclosing employee information.
“Scattered Spider actors steal sensitive data for extortion and often deploy ransomware,” the FBI said. Their targets now include not only major airlines, but also contractors, third-party vendors, and IT service providers across the aviation supply chain.
Mandiant, part of Google Cloud, echoed the concern. Charles Carmakal, CTO of Mandiant Consulting, wrote in a LinkedIn post that his team is “aware of multiple incidents in the airline and transportation sector” resembling past campaigns by the group, also known as UNC3944.
A Critical Weakness
Carmakal cautioned that help desk verification processes remain a critical weakness. “We recommend that the industry immediately take steps to tighten up their help desk identity verification processes prior to adding new phone numbers to employee/contractor accounts,” he said. Attackers have exploited such gaps to trigger self-service password resets, hijack MFA, and gather credentials for later attacks.
Scattered Spider is not new to high-profile campaigns. Known by other names (Muddled Libra, Octo Tempest, 0ktapus), it has built a reputation for social engineering savvy, nimble adaptation, and persistent access to enterprise environments. Palo Alto Networks’ Unit 42 has documented the group’s evolution since 2022, tracing its shift from phishing and SIM-swapping into full-scale ransomware and extortion.
According to Palo Alto’s Unit 42, the group’s early victims were often business process outsourcers handling sensitive data for cryptocurrency clients. Later, it expanded into telecoms, tech, hospitality and finance. Its recent alliance with ransomware group DragonForce marks a renewed emphasis on encryption-based extortion.
Now, the pivot to airlines represents another phase.
Stress Preemptive Controls
Mandiant issued hardening guidance in recent weeks, based on “thousands of hours” of incident response. The recommendations stress preemptive controls at the help desk level, tighter identity verification, and restricting access to MFA reset functions. The firm also emphasized that no sector should consider itself safe. “Scattered Spider has a history of focusing on sectors for a few weeks at a time before expanding their targeting,” Carmakal wrote.
The FBI urged organizations to report suspected activity early. “Early reporting allows the FBI to engage promptly, share intelligence across the industry, and prevent further compromise,” the Bureau noted.
Scattered Spider’s tactics rely more on human error than zero-day exploits. According to analysts, the group routinely studies its targets. It gathers employee data. It mimics language and internal terminology. It wears down call center workers until someone bends the rules.
Unit 42’s research highlights how the group infiltrates IT environments by chaining together small missteps. “Muddled Libra doesn’t bring anything new to the table except for the uncanny knack of stringing together weaknesses to disastrous effect,” the team wrote in a May 2025 report.
What comes next is likely more of the same, only faster, more tailored, and more professional.
For defenders, the guidance is clear: modernize controls. Monitor for abnormal behavior. Lock down account recovery processes. And, as always, train the humans.
A Uniquely Dangerous Threat
“Scattered Spider are uniquely dangerous because much of the West is accustomed to this image of cyber criminals from Eastern Europe and Asia. Because most of Scattered Spider are native English speakers, they’re able to execute social engineering attacks without raising concerns as readily. It makes them very effective at exploiting the human side of cybersecurity,” comments Rex Booth, CISO at SailPoint.
Booth adds: “The group has been linked with attacks on the insurance and aviation sectors. Insurance companies are popular targets because they are heavily reliant on call centre representatives, who often have privileged access and authenticate customers before making account changes. This creates a critical vulnerability to groups like Scattered Spider, who specialise in social engineering. Attackers can take advantage of under-trained or overworked call centre representatives by impersonating customers, senior executives, or IT admins.”
“After an attacker has convinced a call centre representative to disable MFA, provide a temporary code or reset a password, they can then bypass one of the strongest defenses available,” he adds.
“In the event of a breach, organisations need to understand the specific role that has been compromised. This is critical to diagnose the ‘blast radius’ and understand which pathways are facilitating access to critical information.”
Continuous Workforce Education
Jordan Avnaim, CISO at Entrust, adds that social engineering attacks are evolving rapidly, fueled by current events, AI-generated deepfakes, and increasingly convincing impersonation tactics. “In addition, supply chain attacks are a common tactic for cybercriminals, who exploit contractors and third-party vendors as a path to gain access to larger objectives or high-value organisational targets.”
“As we head into the busy summer travel period, it’s not surprising that threat actors have shifted focus towards the travel and aviation industry, where they can potentially create havoc by disrupting operational continuity and creating customer distrust,” Avnaim adds. “Defending against these risks requires more than perimeter controls – it demands continuous workforce education, Zero Trust principles, phish-resistant multi-factor authentication and identity verification that can’t be socially engineered. Security must be a standing board-level conversation, with ongoing investment in both technology and response readiness.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.