Scattered Spider, the teenaged hacking collective behind recent cyber attacks on UK retailers Marks and Spencer (M&S) and Co-op, appears to be actively breaching targets in the airline sector, with multiple victims now observed, according to new intelligence shared by Google Cloud’s Mandiant threat analysts immediately prior to the weekend of 28-29 June.
Having made national headlines in the UK earlier with its audacious attacks on two of Britain’s most recognisable High Street brands – the effects of which continue to linger – Scattered Spider then turned its attention to retailers in the United States before beginning to target insurance providers as well.
Should Mandiant’s latest intelligence prove accurate, it would represent a clear escalation in Scattered Spider’s activity, and lends further weight to the theory that it has successfully compromised one or more third-party IT suppliers.
“Mandiant is aware of multiple incidents in the airline and transportation sector which resemble the operations of UNC3944 or Scattered Spider,” said Charles Carmakal, chief technology officer at Mandiant Consulting.
“We are still working on attribution and analysis but given the habit of this actor to focus on a single sector we suggest that the industry take steps immediately to harden systems.
“The actor’s core tactics, techniques, and procedures have remained consistent. This means that organisations can take proactive steps like training their help desk staff to enforce robust identity verification processes and deploying phishing-resistant MFA to defend against these intrusions. Additional advice can be found in our previous hardening guide,” said Carmakal.
Although Mandiant’s team did not name any victims itself, on 26 June Hawaiian Airlines in the US has reported disruption to its systems following a security incident. Meanwhile Canadian operator WestJet is also embroiled in the aftermath of a cyber attack that began on Friday 13 June and has disrupted access to its mobile app and website.
In a statement, Hawaiian Airlines said: “Hawaiian Airlines is addressing a cyber security event that has affected some of our IT systems. Our highest priority is the safety and security of our guests and employees. We have taken steps to safeguard our operations, and our flights are operating safely and as scheduled.
“Upon learning of this incident, we engaged the appropriate authorities and experts to assist in our investigation and remediation efforts. We are currently working toward an orderly restoration and will provide updates as more information is available.”
In its most recent update, issued on 18 June, WestJet said it was making good progress on safeguarding its digital environments.
“As soon as a cyber security incident was identified, we took immediate action, including but not limited to, launching an investigation, engaging world class third-party cyber security experts and forensic specialists, and notifying our people and guests of our ongoing efforts,” a spokesperson said.
“We are working as quickly as possible to assess any potential data in scope. Our investigations are ongoing, and we will provide updates as appropriate in the future. We have engaged with law enforcement and are complying with our regulatory obligations in the meantime. The protection of our data is of utmost importance to us and we thank all of our guests for their continued patience at this time.”
Neither Hawaiian Airlines nor WestJet has yet reached any stage of their investigations where naming the threat actor responsible for the intrusion is possible, or indeed advisable. No link to Scattered Spider has been confirmed.
Computer Weekly has also learned of a third ongoing IT incident affecting American Airlines, where passengers are reporting their flights are being impacted by systemwide outages.
According to discussions on the airline’s subreddit, the incident has left pilots unable to file flight plans, and gate agents left to manually board departing planes, resulting in flight delays.
American Airlines has been contacted for comment.
We’re not going on a summer holiday
With air travel in Europe and North America hitting its peak during the summer, the aviation sector is – as was ever the case – experiencing intense pressure to maintain seamless services throughout, something that cyber criminals are known to exploit.
The sector is already a high-value target for cyber criminals because it holds vast amounts of highly-valuable personal data, such as credit card details, home addresses, and passport numbers.
“Increasingly, the primary goal of cyber attacks is not just to access systems but to use sensitive or personal data as leverage for extortion attempts, or sold on the dark web for further criminal activity, such as phishing and identity fraud,” said Darren Williams, CEO and founder of BlackFog, an anti-ransomware and data protection platform.
“With incidents like this one highlighting how threat actors are actively and deliberately targeting airlines, operators must remain vigilant, investing in robust defences that safeguard customer data, protect operations, and customer trust,” he said.
