The notorious cybercrime group known as Scattered Spider has now expanded its targeting footprint to the airline sector. The group famously relies on sophisticated social engineering techniques to deceive information technology help desk employees effectively. These threat actors frequently impersonate employees or contractors to bypass multi-factor authentication security measures that are in place. Recent high-profile incidents at both Hawaiian Airlines and WestJet have been attributed to the group’s escalating operations.
Scattered Spider’s continued success stems from its deep understanding of human workflows within large corporate business environments. The group focuses on the people behind systems, knowing help desk staff can be caught off guard by them. This cybercrime collective is well known for its patient planning combined with a very sudden and swift escalation. It represents a major evolution in ransomware risk combining social engineering with layered technical attacks and swift extortion. The hacking group can breach, establish persistent access, and detonate ransomware across entire networks in just a few hours.
America’s Federal Bureau of Investigation confirmed it is actively working with aviation partners to combat these new threats.
ReliaQuest detailed how the actors breached an organization by specifically targeting its chief financial officer in an attack. Information technology help desk requests from these specific accounts are typically treated with much more significant urgency. Once armed with access, attackers perform SharePoint discovery to locate sensitive files and other very valuable collaborative resources. They also breach VPN infrastructure to secure uninterrupted remote access and can even crack open company password vaults.
Scattered Spider favors targeting C-Suite accounts because they are often granted over-privileged access to important company systems.
Cybersecurity experts and federal authorities are sounding urgent alarms as these hackers have now pivoted to the aviation sector. Mandiant recommends that the industry immediately take steps to tighten up its help desk identity verification processes. Organizations are urged to be on high alert for advanced social engineering attempts and suspicious MFA reset requests. These attacks expose a critical weakness in organizations: the reliance on human-centric workflows for identity verification. Strengthening these internal identity verification protocols is urgently needed to reduce the risk of human error as a gateway.
Reference: