1. Executive Summary
In late June to early July 2025, multiple airlines disclosed cybersecurity incidents affecting internal systems and/or customer data, with reporting and government/industry warnings pointing to activity consistent with the Scattered Spider cybercriminal ecosystem. Hawaiian Airlines reported a disruptive cybersecurity event on 26 June 2025, WestJet disclosed an internal-systems incident beginning 13 June 2025 and later confirmed customer data theft, and Qantas confirmed unauthorised access to customer data via a third-party contact-centre platform in early July 2025. (Reuters)
While public attribution varies by victim (and not all organisations named a culprit), US and allied partners’ joint reporting describes Scattered Spider’s hallmark approach: high-confidence social engineering against IT/help desks, credential theft, MFA bypass (push “bombing”), and extortion—an especially acute risk for aviation due to heavy reliance on outsourced contact centres and third-party service providers. (ic3.gov)
2. Contextual Background
2.1 Nature of the threat (vulnerabilities vs identity compromise)
This airline cluster is not primarily CVE-driven in public reporting. Instead, it aligns with Scattered Spider’s identity-centric intrusion pattern: targeting help desks and contracted IT functions to obtain credentials, reset MFA, or coerce users into running remote tools. (ic3.gov)
For aviation, this shifts the defensive priority from patch-only hygiene to identity assurance, help-desk hardening, and third-party access governance.
2.2 Threat-actor attribution (confidence statement)
Actor: Scattered Spider (also tracked as UNC3944, Octo Tempest, Storm-0875, Muddled Libra, among others). (ic3.gov)
Confidence (Admiralty/NATO-style): Likely.
Rationale:
- A multi-agency advisory authored by FBI/CISA/partners documents Scattered Spider’s TTPs and notes ongoing targeting of large enterprises and contracted IT help desks. (ic3.gov)
- Contemporary reporting indicates Unit 42 and Google/Mandiant observed Scattered Spider (“Muddled Libra”) targeting aviation/transportation around the same window as the airline incidents, though not all victims publicly confirmed the actor. (Reuters)
2.3 Sector and geographic targeting
Observed victims and reporting span North America (Hawaiian Airlines, WestJet) and Australia (Qantas), demonstrating cross-region targeting consistent with an English-speaking social-engineering tradecraft. (Reuters)
Aviation’s operational dependency on contact centres, SSO, and third-party customer servicing platforms increases exposure to “trusted relationship” abuse and help-desk compromise. (ic3.gov)
3. Technical Analysis
3.1 TTPs mapped to MITRE ATT&CK
The FBI/CISA partner advisory (AA23-320A update, 29 July 2025) provides a detailed ATT&CK mapping for Scattered Spider, including tactics especially relevant to airline environments: (ic3.gov)
Initial access & social engineering
- Voice spearphishing to coerce password/MFA resets: T1566.004 (ic3.gov)
- Abuse of contracted/help-desk relationships: T1199 (ic3.gov)
- Impersonation of IT/help-desk staff: T1656 (ic3.gov)
Credential access & MFA bypass
- MFA push fatigue (“push bombing”): T1621 (ic3.gov)
- SIM swapping to obtain OTPs: T1451 (ic3.gov)
- Valid domain account abuse: T1078.002 (ic3.gov)
Remote tooling, data theft & extortion
- Commercial remote access software repurposing: T1219 (ic3.gov)
- Exfiltration to cloud storage / web services (e.g., MEGA, S3): T1567.002 (ic3.gov)
- Encryption for impact (ransomware): T1486 (ic3.gov)
3.2 Exploitation status (in the wild) and PoC considerations
This is best characterised as active, in-the-wild intrusion activity rather than exploitation of a single disclosed vulnerability. The FBI/CISA advisory explicitly describes Scattered Spider’s operational methods and notes recent ransomware deployment (including DragonForce) alongside data theft/extortion tradecraft. (ic3.gov)
Airline victim disclosures during June–July 2025 (Hawaiian, WestJet, Qantas) occurred in the same period as industry/government warnings that Scattered Spider was expanding into aviation. (Reuters)
4. Impact Assessment
4.1 Severity and scope
Operational disruption risk: Airline IT outages can cascade into check-in, baggage, crew scheduling, customer service, and partner integrations (codeshare/loyalty). In Hawaiian’s case, the airline reported some IT systems were impacted but stated flights remained safe and on schedule. (Reuters)
Data exposure risk:
- Qantas stated the incident involved unauthorised access to a third-party customer servicing platform used by a contact centre, compromising customer data (with Qantas providing ongoing public updates). (Qantas)
- WestJet later reported customer data theft affecting a large population (public reporting indicates 1.2 million impacted). (The Record from Recorded Future)
4.2 Victim profile
Based on disclosures and reporting, affected organisations include major passenger airlines operating consumer loyalty ecosystems and high-volume customer service operations—environments where help-desk workflows and identity proofing are frequent choke points. (ic3.gov)
5. Indicators of Compromise (IOCs)
5.1 Public IOCs (note on specificity)
At the time of writing, victim-specific IOCs for Qantas/WestJet/Hawaiian were not consistently published in official airline statements. The most actionable public indicators are therefore behavioural and tool-based, drawn from the FBI/CISA partner advisory. (ic3.gov)
| Type | Value | Context/Notes | Source |
|---|---|---|---|
| Domain pattern | targetsname-sso[.]com, targetsname-servicedesk[.]com, targetsname-okta[.]com (and variants incl. -helpdesk, -cms, oktalogin-…) | Crafted lookalike domains used in phishing/smishing and credibility-building (pattern-based, not airline-specific). | FBI/CISA AA23-320A update (29 Jul 2025) (ic3.gov) |
| Remote access tooling (LOLBAS/legit) | AnyDesk, TeamViewer, ScreenConnect, Splashtop, Pulseway, Ngrok, Tailscale, Level.io, Fleetdeck.io, TacticalRMM, Teleport | “Legitimate” tools frequently repurposed for access/persistence; presence alone not proof—correlate with identity events and anomalous execution. | FBI/CISA AA23-320A update (29 Jul 2025) (ic3.gov) |
| Malware families | Raccoon Stealer, VIDAR, AveMaria/WarZone, RattyRAT; ransomware noted: DragonForce | Used for credential theft/remote access and (in some cases) encryption/extortion. | FBI/CISA AA23-320A update (29 Jul 2025) (ic3.gov) |
| Exfil destination class | MEGA (mega.nz), cloud storage (e.g., S3) | Exfiltration to cloud/web services referenced in advisory; monitor for unusual bulk uploads. | FBI/CISA AA23-320A update (29 Jul 2025) (ic3.gov) |
5.2 Detection guidance (practical starting points)
- Identity telemetry first: alert on help-desk driven password resets/MFA resets, new MFA device enrolment, and “risky login” events around high-value roles (IT admins, IAM, contact-centre supervisors). The FBI/CISA advisory explicitly highlights these control points. (ic3.gov)
- Remote tool hunting: baselines for commercial remote tools; hunt for portable/in-memory execution and abnormal parent-child process chains (the advisory notes defenders should audit authorised tools and review execution logs). (ic3.gov)
- Leverage public rule ecosystems:
- Map remote management binaries and known artefacts using LOLRMM (LOLRMM project)—explicitly referenced as a source for IOCs and Sigma rules associated with remote access tools. (ic3.gov)
- Use SigmaHQ (Sigma rules repository) for generic detections around suspicious remote tooling, credential dumping, and anomalous authentication flows.
6. Incident Response Guidance
6.1 Containment, eradication, recovery
- Freeze and validate help-desk actions: temporarily tighten procedures for password resets and MFA resets; require supervisor approval and out-of-band verification for privileged accounts (aligns with the advisory’s emphasis on help-desk targeting). (ic3.gov)
- Credential reset strategy: prioritise SSO/IAM admins, VPN, remote access platforms, and contact-centre support identities; rotate API keys and signing keys where applicable.
- Remote tool triage: inventory and remove unauthorised remote access tooling; restrict execution via allowlisting; block outbound tunnels where feasible (ngrok-like behaviour) and monitor for cloud exfil. (ic3.gov)
- Backups and ransomware readiness: ensure offline/immutable backups and rehearse restore. The advisory underscores segmentation and recovery planning to limit ransomware blast radius. (ic3.gov)
6.2 Forensic artefacts to collect
- IAM/SSO logs: enrolments, MFA resets, conditional access policy changes, new IdP federation changes (Scattered Spider has been observed modifying identity provider trust). (ic3.gov)
- Help-desk ticketing + call recordings where lawful: correlate social engineering narratives to authentication events.
- Endpoint/process execution logs for remote tool installs and portable executions. (ic3.gov)
- Egress telemetry: large uploads to cloud storage/web services; unusual MEGA usage. (ic3.gov)
6.3 Lessons learned
- Treat help desk and contact-centre vendor access as Tier-0 security surfaces; ensure contractual security controls and joint IR playbooks reflect that reality. (ic3.gov)
7. Threat Intelligence Contextualisation
7.1 Comparisons with prior Scattered Spider campaigns
Public reporting frames this as an evolution of Scattered Spider’s established model—high-touch social engineering, rapid credential abuse, and extortion—applied to aviation/transport after previous high-profile intrusions in other sectors. (Reuters)
7.2 Full MITRE ATT&CK lifecycle mapping (observed / described in official advisory)
| Tactic | Technique ID | Technique Name | Observed Behaviour (per reporting/advisory) |
|---|---|---|---|
| Initial Access | T1566.004 | Spearphishing via Voice | Vishing help desks/users to force password/MFA resets. (ic3.gov) |
| Initial Access | T1199 | Trusted Relationship | Abusing contracted IT/help desk relationships. (ic3.gov) |
| Defence Evasion / Credential Access | T1656 | Impersonation | Posing as IT/help desk to gain access/reset auth. (ic3.gov) |
| Credential Access | T1621 | MFA Request Generation | Push fatigue (“push bombing”). (ic3.gov) |
| Credential Access | T1078.002 | Valid Accounts: Domain Accounts | Using stolen/obtained domain identities. (ic3.gov) |
| Command and Control | T1219 | Remote Access Software | Repurposed commercial remote tools for control. (ic3.gov) |
| Exfiltration | T1567.002 | Exfiltration to Cloud Storage | Exfil to MEGA / cloud storage noted in advisory. (ic3.gov) |
| Impact | T1486 | Data Encrypted for Impact | Ransomware/extortion as an end-stage option. (ic3.gov) |
8. Mitigation Recommendations
8.1 Hardening and best practices (priority actions)
- Implement phishing-resistant MFA (FIDO2/WebAuthn or PKI-backed) to reduce exposure to SIM swap and push bombing. (ic3.gov)
- Help-desk identity proofing: require strong identity verification for reset requests; implement “no-reset” policies for privileged accounts without in-person or pre-registered verification channels. (ic3.gov)
- Conditional access & geo-velocity controls: enforce device compliance and high-risk sign-in remediation for SSO and remote access. (ic3.gov)
- Third-party governance: review vendor access paths into customer servicing platforms and contact-centre tooling; ensure least privilege, strong logging, and rapid revocation procedures (notably relevant given Qantas’ third-party platform exposure). (Qantas)
8.2 Patch management note
Because public reporting on these airline incidents is not centred on a specific CVE, prioritisation should follow:
- Identity/IAM control gaps (MFA resilience, reset workflows), then
- Internet-facing services and remote management exposures (RDP, remote tooling), consistent with the advisory’s mitigations. (ic3.gov)
9. Historical Context & Related Vulnerabilities
- Scattered Spider has been repeatedly profiled in government/industry reporting as a social engineering-led actor; the multi-agency advisory remains the most defensible public baseline for their TTPs and mitigations. (ic3.gov)
- UK strategic context: the UK NCSC has referenced Scattered Spider as part of the evolving operational threat landscape in its annual review. (NCSC)
(Note: No ThreatIntelReport.com links were provided; none are included to avoid inventing coverage.)
10. Future Outlook
10.1 Emerging trends
Expect continued activity where organisations have:
- outsourced help desks/contact centres,
- large loyalty/customer identity stores, and
- complex SSO/federation environments. (ic3.gov)
10.2 Likely shifts
Given the low-friction economics of voice-driven compromise, further “aviation-adjacent” targeting is plausible: airport services, ground handling, IT service providers, and travel technology vendors—especially where compromise enables lateral movement into multiple airlines via shared platforms. (ic3.gov)
11. Further Reading
Government / multi-agency
- FBI/CISA and partners: AA23-320A Scattered Spider (updated 29 Jul 2025)
- CISA alert announcing the updated Scattered Spider advisory (29 Jul 2025)
Airline statements / disclosures
- Qantas customer information page on the cyber incident
- WestJet advisory: cybersecurity incident (13 Jun 2025)
Industry reporting (context)
- Reuters reporting on aviation-sector targeting warnings referencing Unit 42 and Google/Mandiant (27 Jun 2025)
- Reuters: Hawaiian Airlines cyber incident disclosure (26 Jun 2025)