FBI Warns Scattered Spider Now Targeting Airlines and Transportation Sector

The FBI issues an urgent warning on June 28, 2025, confirming that the notorious Scattered Spider hacking group has pivoted its operations toward the airline and transportation sector. The alert follows confirmed cyberattacks against Hawaiian Airlines and an ongoing breach at WestJet that has persisted since June 13. Cybersecurity teams from Google Mandiant and Palo Alto Unit 42 corroborate the FBI assessment, marking a significant escalation for a group previously known for targeting retail, insurance, and hospitality industries.

The Exploit Mechanics

Scattered Spider operates through sophisticated social engineering campaigns designed to manipulate employees into surrendering credentials and bypassing multi-factor authentication. The group impersonates IT support staff, sends targeted phishing emails, and leverages voice phishing — known as vishing — to convince victims to approve fraudulent authentication requests. Once inside a network, the hackers move laterally, escalate privileges, and exfiltrate sensitive data before deploying ransomware or demanding extortion payments.

What separates Scattered Spider from typical cybercriminal operations is the human element. Rather than relying solely on automated exploits, the group invests considerable effort in understanding organizational structures, identifying key personnel, and crafting highly convincing pretext scenarios. In the airline context, attackers target reservation systems, passenger data repositories, and operational technology networks that control flight scheduling and baggage handling.

The WestJet breach exemplifies the group’s persistence. Now in its third week, the attack continues to disrupt the Canadian carrier’s operations, with passengers experiencing booking delays and limited access to loyalty program accounts. Hawaiian Airlines confirms a separate intrusion, though the full scope of compromised data remains under investigation.

Affected Systems

The transportation sector presents a uniquely attractive target for several reasons. Airlines manage vast quantities of personally identifiable information, including passport numbers, payment card details, and travel itineraries. This data commands premium prices on dark web marketplaces. Additionally, operational disruptions carry immediate public visibility, increasing pressure on executives to negotiate ransom payments quickly.

Scattered Spider’s previous campaigns provide context for the current threat. The group gained notoriety after attacking major UK retailers including Marks & Spencer (M&S), forcing the company to suspend online ordering for weeks. Insurance giant Aflac confirmed a breach attributed to the same actors. Hotel chains, casino operators including MGM Resorts and Caesars Entertainment, and technology companies have all fallen victim to the group’s methods.

The FBI assessment indicates that the group’s membership consists primarily of English-speaking teenagers and young adults based largely in the United States and United Kingdom. Their native fluency in English gives them a distinct advantage in social engineering attacks, as they can conduct convincing phone calls and craft grammatically flawless phishing communications — a capability that many international hacking groups lack.

The Mitigation Strategy

Defending against Scattered Spider requires a fundamentally different approach than traditional vulnerability management. Since the group exploits human behavior rather than software flaws, organizations must prioritize identity security and employee awareness. The FBI recommends implementing phishing-resistant multi-factor authentication using FIDO2 hardware tokens rather than SMS-based one-time passwords, which the group routinely intercepts.

Security teams should establish strict access controls based on the principle of least privilege, ensuring that compromised credentials cannot grant access to critical airline systems. Network segmentation plays a crucial role in limiting lateral movement. Passenger data systems, operational technology networks, and corporate IT infrastructure should operate in isolated zones with separate authentication requirements.

Organizations must also implement robust verification procedures for IT support calls. Scattered Spider frequently impersonates help desk staff to convince employees to reset passwords or approve MFA prompts. Companies should establish callback verification protocols and internal codes that legitimate IT staff can provide to confirm their identity.

Continuous monitoring for unusual authentication patterns helps detect compromised accounts early. Security teams should flag login attempts from unusual geographic locations, multiple failed MFA challenges, and unexpected password reset requests as potential indicators of Scattered Spider activity.

Lessons Learned

The Scattered Spider campaign against airlines underscores a broader shift in the threat landscape. Financially motivated threat actors increasingly target industries where operational disruption creates maximum leverage for extortion. The transportation sector’s reliance on real-time systems and its direct consumer impact make it particularly vulnerable to this strategy.

The group’s evolution from casino and retail targets to critical transportation infrastructure demonstrates an escalating risk appetite. Each successful campaign funds more ambitious operations while building the group’s reputation and operational expertise. Law enforcement agencies including the FBI, UK’s National Crime Agency, and Europol coordinate efforts to identify and prosecute members, but the distributed nature of the group complicates these investigations.

For the cryptocurrency community, the attack carries indirect implications. Scattered Spider’s history includes cryptocurrency theft, and the group launders proceeds through mixing services and cross-chain bridges. As Bitcoin trades at $107,327 and Ethereum at $2,437, the financial incentives for sophisticated cybercrime continue to grow, attracting both established groups and new entrants.

User Action Required

Travelers who have flown with Hawaiian Airlines or WestJet since early June 2025 should monitor their financial accounts for unauthorized transactions and consider placing fraud alerts with credit bureaus. Passengers should change passwords for airline loyalty programs and enable multi-factor authentication on all travel-related accounts.

Crypto users who also hold airline loyalty points or travel frequently should be especially vigilant. Credential reuse between airline accounts and crypto exchanges creates a direct attack path. Security professionals recommend using unique passwords for every service and employing a reputable password manager to maintain distinct credentials across platforms.

Organizations in the transportation sector should immediately review their incident response plans, conduct tabletop exercises simulating social engineering attacks, and engage with CISA and FBI resources available through the Joint Cyber Defense Collaborative. The window for proactive defense narrows with each passing day as Scattered Spider continues to refine its tactics and expand its target list.

Disclaimer: The information provided in this article is for educational and informational purposes only and does not constitute financial advice. Always conduct your own research before making any investment decisions.