Airplane before take off on runway showing Scattered Spider cyber attacks

FBI Warns of Cyber Attacks on “Airline Ecosystem” To Accompany Summer Travel Season

Those traveling in, within and out of North America during the peak summer season should anticipate a possible added source of delays to accompany the usual sporadic wildfires and storms. The FBI is warning that one of the world’s most prolific and dangerous ransomware groups has now set its sights on the “airline ecosystem” of the region, and has already racked up successful cyber attacks against two major airlines.

The airlines and their support ecosystem is now the focus of the “Scattered Spider” group, according to the FBI. This group vaulted to international attention in 2023 with another travel disruption, when it attacked casinos on the Las Vegas Strip with ransomware and caused havoc at MGM’s properties for an extended period. It has since cycled through a few different target regions and industries since re-emerging earlier this year, most recently spending periods of several weeks attacking major retailers in the UK and insurance companies in the US.

Scattered Spider leaps from insurance to air travel

The two documented cyber attacks thus far are on Hawaiian Airlines, a top 20 American airline that serves about 10 million passengers per year and has international connections to a handful of countries, and WestJet, another top 20 airline by passenger count that focuses on flights in and out of Canada and serves some 100 destinations in total.

Security researchers with Mandiant and Palo Alto Networks have backed the FBI assessment of targeted Scattered Spider actions against the airline industry, noting their own independent observations of activity in LinkedIn posts. This is a familiar pattern for the group, which tends to focus heavily on a particular region and industry for several weeks before moving on to something else. From April into May of this year, the group compromised a number of major retailers in the UK. It then jumped to targeting US insurance firms in June, and has now apparently switched its focus once again with the peak summer travel season in full swing.

The FBI stresses that though the group has compromised two airlines thus far, it is likely targeting assorted vendors and contractors as well. This covers a very broad range of suppliers for both the airport facilities and airlines themselves, as well as a large number of third-party contractors that tend to handle staffing for lower-level airport job positions such as cleaning staff and skycaps.

The good news is that there is not yet any report of flights being impacted. Hawaiian Airlines has issued a press release indicating that it is not expecting any service disruptions, which has since been replicated as a banner notice that appears when visiting its website. WestJet was breached on June 13 and for a time customers were unable to access the airline’s website or mobile app, but flights were not delayed or canceled as a result. WestJet has only said that the cyber attack impacted “some of its software and services.” There has not yet been a confirmation of ransomware in either of the attacks, though if Scattered Spider is involved that is their standard modus operandi and an attempt was likely made.

Awareness of cyber attack techniques may be limiting Scattered Spider’s damage

The air transport industry should continue to anticipate that cyber attacks are inbound, but Scattered Spider seems to have been moving from sector to sector more rapidly as of late. That might be due to somewhat lackluster results, at least from what has been shared with the public. The group’s current campaign started off with a bang as it compromised some of the UK’s biggest retailers, but its subsequent shift of focus to US retailers seemed to yield no results. It then went after US insurance companies, seemingly with only minor success with a couple of targets before switching rather quickly to targeting airlines.

The group is very much a known quantity at this point, deploying the same tactics in its cyber attacks as it did during its most notorious run during 2023, and the playbook is now essentially out on them. Though some key members were arrested in 2024, the recent replacements seem to be similarly fluent speakers of English likely based in the UK or US. They will approach IT help desks and attempt to pressure employees into resetting a password, and then leverage that access to exfiltrate sensitive data and deploy ransomware.

However, Ted Miracco (CEO, Approov) notes that the group is highly skilled and may be adapting its tactics as the industries it targets do a better job of early warnings and coordination to prepare for their attempts: “The Hawaiian Airlines attack highlights an overlooked security vulnerability in aviation and travel that is tied to mobile applications and the systems they connect to. Although details are still emerging, there are clear similarities to what happened with WestJet earlier this month, where attackers exploited weaknesses in backend APIs to gain access – an approach that has become increasingly common among experienced cybercriminals. These cases point to a broader issue in how mobile app security is typically handled. While companies like Apple and Google focus heavily on protecting users’ devices, those protections don’t necessarily extend to how apps communicate with their servers. Skilled attackers can analyze how these apps function, then mimic their behavior with tools or modified versions of the apps to interact with the system in ways that aren’t always caught by standard defenses.”

And Nick Tausek, Lead Security Automation Architect at Swimlane, expands on why the air transport industry should expect an uptick in cyber attacks from other threat actors: “The surge in cyberattacks against airlines points to a troubling trend, not a random string of incidents.. In December 2024, Japan Airlines disclosed a cyber attack that halted over 40 flights for a period of time. Airlines sit at the intersection of critical infrastructure and personal data, making them a high-value target for cybercriminals and nation-state actors alike. They have access to an extensive amount of sensitive information, including passenger information, payment data, and flight operations details. A data breach to these areas can result in consequences ranging from identity theft to widespread operational disruptions. If attackers are turning their sights on airlines, organizations must proactively establish strong defensive measures to reduce the impact of these attacks beforehand, rather than trying to play cleanup after the fact.”

Darren Williams, Founder and CEO of BlackFog, adds: “With international travel currently at its peak, the aviation industry is under immense pressure to deliver seamless service, and cybercriminals are exploiting that pressure. The sector is a treasure trove for cybercriminals, handling vast amounts of valuable passenger data. Increasingly, the primary goal of cyber attacks is often not just to access systems but to use sensitive or personal data as leverage for extortion attempts, or sold on the dark web for further criminal activity, such as phishing and identity fraud. And with incidents like this one highlighting how threat actors are actively and deliberately targeting airlines, operators must remain vigilant, investing in robust defences that safeguard customer data, protect operations, and customer trust.”