A new string of cyberattacks has struck the aviation sector, with the FBI confirming that the cybercrime group Scattered Spider has successfully infiltrated the networks of multiple North American airlines. Recent breaches at Hawaiian Airlines and WestJet serve as the latest warning that no industry is immune to the growing threat posed by advanced social engineering campaigns.

Although operational safety has not been compromised, the breaches underscore the human vulnerabilities in cybersecurity.

Scattered Spider’s tactics are not brute-force or exploit-based. Instead, they weaponize trust and internal processes by impersonating employees and manipulating help desk protocols. This approach enables them to bypass multi-factor authentication (MFA), infiltrate core systems, and conduct data exfiltration, ransomware deployment, and even sabotage infrastructure.

Their recent campaigns against aviation entities build on a disturbing pattern of attacks that have previously targeted the insurance, casino, and retail sectors. As the busy travel season unfolds, experts warn that the group’s tactics could continue to evolve and intensify.

Why It Matters: The aviation industry is a critical component of national infrastructure. Its digital networks support not only airline operations but also passenger data, logistics, and vendor ecosystems. The breaches orchestrated by Scattered Spider highlight how even sophisticated security systems can be undone by human-centric vulnerabilities. With the FBI and cybersecurity firms racing to contain the damage and advise mitigation, this episode serves as a crucial wake-up call to the importance of human awareness and procedural rigor.

• Social Engineering as a Primary Attack Vector: Scattered Spider’s defining technique is exploiting help desk staff by posing as legitimate employees or high-ranking executives. In one case, hackers impersonated a company’s CFO, using social media and breach data to pass security questions and reset MFA credentials. These identity-based attacks circumvent even advanced cybersecurity defenses, leveraging trust over technology. Organizations must revisit how identity is validated across their IT service functions. This means implementing multi-step verification for all MFA changes, prohibiting any single-person authorization, and using biometric or token-based verification for high-risk accounts. Formal policies should require supervisor-level approval for identity resets tied to admin or executive roles.

• Expanding Sectoral Footprint: Initially notorious for attacking casinos and retail giants, Scattered Spider has now shifted focus to the aviation sector, including airlines and third-party service providers. The group’s strategy involves targeting supply chains and ecosystem partners, significantly broadening the potential impact radius of each breach. Contractors, IT vendors, and affiliated systems are all fair game, making sector-wide vigilance essential. Leaders should complete an aggressive review of all third-party access, enforce network segmentation for external users, and apply zero trust architecture principles to all vendor integrations. As well, they should require vendors to meet internal security standards, and consider continuous monitoring tools that track behavior and data flows from all external endpoints.

• Operational Disruption through Lateral Movement: Once inside a network, Scattered Spider doesn’t just extract data. They escalate privileges, map out cloud infrastructure, and disrupt internal systems. In a recent attack, they hijacked a virtual environment, accessed sensitive databases, and even reinstated decommissioned virtual machines. Their ability to move laterally across on-premises and cloud environments shows expert technical sophistication and planning.

• FBI and Industry Mobilization: The FBI is working directly with airlines and cybersecurity firms like Google-owned Mandiant to assess damages, identify vulnerabilities, and prevent further breaches. Industry groups like the Aviation ISAC have also issued alerts, urging members to enhance internal controls, particularly around help desk identity verification and MFA management. Experts stress that procedural rigor is now as important as technical safeguards.

• Speed of Intrusion Demands Real-Time Response Capabilities: These attacks unfold in hours, not days. Once inside, Scattered Spider has shown it can escalate privileges, access virtual environments, compromise VPNs, and disable domain controllers at alarming speed. Traditional monitoring and response timelines are insufficient. Enterprises must ensure security operations centers (SOCs) have real-time telemetry across hybrid environments, automated containment capabilities, and pre-authorized escalation paths for rapid incident response. Conduct quarterly simulation drills focused on social engineering intrusions to stress-test readiness and response fluidity.

Go Deeper → Rampant cybercriminal group targets US airlines – CNN

FBI Warns of Scattered Spider’s Expanding Attacks on Airlines Using Social Engineering – The Hacker News

FBI Warning Issued As 2FA Bypass Attacks Surge -Get Prepared – Forbes