Full Report
The fresh wave of attacks targeting airlines comes soon after the hackers hit the U.K. retail sector and the insurance industry.
Analysis Summary
# Threat Actor: Scattered Spider
## Attribution & Identity
**Identification:** Prolific hacking crew, primarily composed of English-speaking hackers, generally noted as teenagers and young adults.
**Aliases/Associations:** Known hacking group referenced in advisories from the FBI and cybersecurity firms.
## Activity Summary
The actors were recently observed conducting cyberattacks specifically targeting the **airline and transportation sector**. This expansion follows established patterns of targeting large corporations and their associated third-party IT providers and vendors within the ecosystem. At least two airlines, Hawaiian Airlines and WestJet (Canada’s second largest), reported intrusions aligned with this activity.
## Tactics, Techniques & Procedures
- **Social Engineering:** Heavily reliant on deception tactics to gain initial access. (T1566)
- **Phishing:** A key technique used to compromise networks. (T1566.001)
- **Intimidation/Threats:** Sometimes use threats of violence directed toward company help desks and call centers to facilitate access.
- **Ransomware Deployment:** Capable of deploying ransomware following network compromise.
- **Supply Chain Targeting:** Targeting large corporations' third-party IT providers and contractors.
## Targeting
- **Sectors:** Airlines and the broader transportation sector, including aviation.
- **Geography:** Not explicitly detailed, but involving US (Hawaiian Airlines) and Canadian (WestJet) entities.
- **Victims:** Large corporations within the airline ecosystem, including trusted vendors and contractors. Specific victims mentioned are **Hawaiian Airlines** and **WestJet**.
## Tools & Infrastructure
- **Malware Families Used:** Capability mentioned to deploy **ransomware**.
- **Infrastructure (C2, domains, IPs):** Not specified in the provided context.
## Implications
Scattered Spider presents a persistent, financially motivated threat actor utilizing readily accessible social engineering techniques. Their pivot towards critical infrastructure sectors like aviation poses significant risks to operational continuity and supply chain integrity within the transportation ecosystem. The reliance on exploiting help desks means even robust perimeter defenses may be bypassed by targeting human factors.
## Mitigations
- Enhance vigilance against social engineering and phishing attacks across all levels, particularly toward help desk and call center staff.
- Implement strict identity verification controls for all access requests, regardless of the source channel.
- Organizations in the airline ecosystem (including vendors and contractors) must review and tighten security controls due to the heightened risk of supply chain exploitation.
- Prepare for ransomware response capabilities.