Expanded Aerial Movement's Possible Shift Toward Incorporating Spiders
In a concerning turn of events, the Scattered Spider cybercrime gang has expanded its targeting to include the aviation industry. This shift has raised serious concerns about the safety and resilience of commercial aviation, as reported by researchers.
The warning comes amidst a backdrop of aging infrastructure and significant cuts at federal agency partners in the aviation and airline sectors. This vulnerability has been exploited by Scattered Spider, as they launch sophisticated and targeted social engineering attacks.
On Thursday, Hawaiian Airlines disclosed an attack that disrupted some of its IT systems. The airline, however, continues to operate safely, having notified authorities and enlisting the help of third-party experts to investigate the intrusion and restore regular network operations.
American Airlines also experienced a technology issue that impacted connectivity for some of its systems, but was able to resolve it, restoring full operations. The airline has not yet attributed the attack to any specific group.
Researchers at Halcyon confirmed on Friday that Scattered Spider had shifted towards the transportation sector, including aviation. The gang often impersonates employees or contractors to deceive IT help desks, granting them access to systems. Once inside, they steal sensitive data for extortion and often deploy ransomware.
Halcyon also reported that Scattered Spider is targeting the food and manufacturing sectors. In the past, they have attacked major British companies like Jaguar Land Rover, possibly compromising employee information, supplier contracts, and intellectual property.
Mandiant is still working on attribution and analysis, but the tactics, techniques, and procedures used by Scattered Spider are consistent with their past attacks. Cynthia Kaiser, senior vice president of Halcyon's Ransomware Research Center, advised organizations to audit any use of remote management tools for signs of abuse.
Researchers at Palo Alto Networks have also observed Scattered Spider, which they track as Muddled Libra, targeting the aviation sector.
Organizations should be on high alert for suspicious MFA reset requests and sophisticated social engineering attacks. Help desk staff can be trained to use phishing-resistant multifactor authentication and robust identity-verification measures to protect against such attacks.
Despite the disruptions, no flights were cancelled, but earlier flight delays occurred. The Cybersecurity and Infrastructure Security Agency and Federal Aviation Administration did not respond to requests for comment.
