Pirates associated with “scattered spiders” tactics extended their targeting to aviation and transport industries after previously attacked the insurance and retail sectors
These threat stakeholders used a sectoral approach by sector, initially targeting retail companies, such as Ms And Cooperativein the United Kingdom and UNITED STATES and then move their concentration to insurance companies.
Although threat stakeholders were not officially appointed responsible for insurance sector attacks at the start, recent incidents had an impact AFLAC,, Erié insuranceand Philadelphia’s insurance companies.
The pirates target the aviation industry
On June 12, the second largest airline in Canada, Westjet, underwent a cyber attack This has briefly disrupted the internal services of the company and the mobile application.
Shortly after the violation, sources declared to Bleeping that Palo Alto Networks and Microsoft helped the response to the attack.
The attack was awarded to Spottered Spider, who would have compromised company data centers and its Microsoft Cloud environment.
BleepingComputter was informed that the threat actor had access by resetting a self-service password for an employee, which allowed them to record his own MFA and obtain remote access to the network via Citrix.
While other threat actors lead identity attacks, Spander Spider has become associated with this tactic because of their regular targeting of assistance and password and infrastructure MFA.
Today, Hawaiian Airlines also revealed that they underwent a cyber attack But provided no details that could indicate who was behind the attack. However, a source said that he thought he thought that the same threat actors were responsible.
Sam Rubin de Palo Alto Networks, Vice-President Director of Consulting and Ke in threats, has now confirmed Linkedin that Spander Spider has started to target the aviation industry.
“Unit 42 observed the balance confused (also known as scattered spider) targeting the aviation industry”, ” AFTER RUBIN.
“Organizations should be on high alert for attacks of sophisticated and targeted social engineering and requests for reset from MFA Suspects.”
Charles Carmakal of Mandiant also warned that threat actors have now focused on the aviation and transport sectors.
“Alert: Sported Spider has added North American airlines and transport organizations to their target list”. Carmakal posted on LinkedIn.
“Mandiant (part of Google Cloud) is aware of several incidents in the airline and transport sector that resembles operations of UNC3944 or dispersed spider.
“We recommend that the industry immediately take measures to strengthen its assistance identity verification processes before adding new telephone numbers to the accounts of employees / entrepreneurs (which can be used by the threat actor to carry out resets of self-service password), reset passwords, add devices to MFA solutions or provide information on employees (EG ID) be used for attacks in following social engineering. ” “”
American Airlines also suffers from a computer failure, but it is not clear if it is a security incident. BleepingCompute contacted the airline but did not receive an answer.
What is the scattered spider
Scattered spider, also known as 0ktapusStarfraud, UNC3944,, Scatter,, Octo TempestAnd Muddledis a classification of threat actors who are capable of using social engineering attacks, phishing, multi-factor authentication bombings (MFA) (targeted fatigue of the MFA), and the exchange of SIM to obtain initial access on the network on large organizations.
These threat actors include young English -speaking people with various skills sets that frequent the same pirate forums, telegrams canals and discord servers. These supports are then used to plan and execute attacks in real time.
Some are supposed to be part of the “COM”- a slightly united community of threat actors known for financial fraud, cryptocurrency theft, data violations and extortion attacks.
While Spander Spider is commonly called a coherent gang, it is in fact used to designate threat actors who use specific tactics during the attack. Since the attacks associated with dispersed spider tactics are also commonly used by different individuals from a loose network of threat actors, it is difficult to follow them.
Unlike many other English -speaking threat actors, those associated with “Spotted Spider” are known to associate with Russian ransomware gangs, such as Blackcat,, Ransomhub,, Qilinand dragonforce.
Other attacks linked to a dispersed spider include those MGM,, Marks & Spencer,, Cooperative,, Twilio,, Jamming,, Doordash,, Caesars,, Mailchimp,, Riot gamesAnd Reddit.
Organizations defending themselves against this type of threat actor should start obtaining complete visibility throughout the infrastructure, identity systems and critical management services.
This includes securing the platforms for resetting self-service password and assistance offices, common targets of these threat actors.
Both Google Threat Intelligence Group (GTIG) And Palo Alto networks have released guides on the tightening of the defenses against the known tactics “scattered spider” used by these threat actors.
All administrators are advised to familiarize themselves with these advice and harvest their identity platforms and process.
Update of 06/27/25: Addition of American Airlines is currently suffering from a computer failure.
The corrective meant complex scripts, long hours and endless fire exercises. No more.
In this new guide, teeth decompose the way in which modern IT Orgs are gaining power with automation. Patch faster, reduce the general costs and focus on strategic work – no complex script required.
