Full Report
The fresh wave of attacks targeting airlines comes soon after the hackers hit the U.K. retail sector and the insurance industry.
Analysis Summary
# Threat Actor: Scattered Spider
## Attribution & Identity
- **Identification:** Prolific cybercrime group known as Scattered Spider.
- **Aliases:** Not explicitly mentioned, but often associated with previous high-profile attacks.
- **Known Associations:** Primarily described as a collective of mostly English-speaking hackers, typically teenagers and young adults.
## Activity Summary
- **Recent Campaigns:** Now observed aggressively targeting the airlines and the broader transportation sector.
- **Historical/Reported Incidents:** Linked to cyberattacks against at least two airlines recently:
- Hawaiian Airlines reported an intrusion under investigation.
- WestJet (Canada’s second largest airline) reported an ongoing and unresolved cyberattack on June 13th, which media reports link to Scattered Spider.
## Tactics, Techniques & Procedures
- **Motivation:** Primarily financially motivated, focused on stealing and extorting sensitive data from company networks.
- **Techniques:** Known for heavy reliance on deception tactics:
- Social engineering
- Phishing
- Threats of violence directed towards company help desks and call centers to gain initial network access.
## Targeting
- **Sectors:** Airlines and the transportation sector.
- **Geography:** Specific geography not detailed, but incidents involve Hawaiian Airlines (US-based) and WestJet (Canadian).
- **Victims:** Hawaiian Airlines, WestJet.
## Tools & Infrastructure
- **Malware Families Used:** Not specified in the provided text.
- **Infrastructure (C2, domains, IPs):** Not specified in the provided text.
## Implications
- The shift in focus towards critical infrastructure like airlines indicates a potential escalation in impact and risk exposure for the transportation industry globally.
- The reliance on social engineering against internal support functions suggests a persistent threat to organizations with weak internal security awareness or access control procedures (MFA fatigue/Bypassing help desk controls).
## Mitigations
- Enhance vigilance and defensive measures specifically against social engineering and phishing targeting help desk and call center staff.
- Review access controls and verification processes, particularly those used by IT support staff, to mitigate unauthorized access gained through deception.
- Implement robust multi-factor authentication (MFA) mechanisms that are resistant to common bypass techniques (e.g., prompt bombing/fatigue attacks).