Airline companies warned of potential Spider-related hacking incidents spreading sporadically

In recent developments, the hacking group known as Scattered Spider has been utilizing social engineering tactics to manipulate IT help desks for unauthorized system access. This group, also known as UNC3944, Muddled Libra, and Octo Tempest, has been causing concern across various sectors, including telecom providers, financial services, retailers, and now the airline sector.

Google's Mandiant has observed multiple incidents in the airline and transportation verticals that exhibit similarities to Scattered Spider's methodology. These incidents have been reported by major carriers such as WestJet, Hawaiian Airlines, and Australian carrier Qantas.

One notable breach involved the chief financial officer of an unnamed company. In this case, attackers manipulated the IT help desk into resetting credentials and multi-factor authentication (MFA) devices, granting them full access to the system.

Scattered Spider's success is attributed to its detailed understanding of human behavior within corporate systems. The group's decentralized structure complicates efforts to dismantle it, as it consists of various hacking collectives and individuals engaged in cybercrime. The underground group, referred to as "the Com," is primarily composed of English-speaking teenagers and young adults who operate from platforms like Discord and Telegram.

Once access is gained, the hackers steal data, demand ransom payments, and in some instances, deploy ransomware to incapacitate operations. They have been known to infiltrate systems including SharePoint, Horizon Virtual Desktop, and VMware, exfiltrating sensitive data and subsequently disabling firewalls after detection.

John Hultquist, chief analyst at Google's threat intelligence group, stated that Scattered Spider is carrying out serious attacks on critical infrastructure. Cybersecurity experts advise aviation firms to maintain a high alert for fraudulent MFA reset requests and impersonation attempts. Sam Rubin of Palo Alto Networks' Unit 42 has recommended that industries immediately tighten up their help desk identity verification processes.

Charles Carmakal, chief technology officer at Mandiant, also stressed the importance of immediate action. He advised that the industry should take steps to strengthen their help desk identity verification processes to prevent such incidents.

In response to the increasing threat, the FBI has issued a public advisory regarding an increase in cyberattacks targeting the airline sector. Early reporting allows the FBI to engage promptly, share intelligence across the industry, and prevent further compromise. Organizations suspecting a targeting incident are encouraged to report it promptly to the FBI.

The rapid learning curve and collaborative nature of the group contribute to its increased threat level. However, with vigilance and swift action, the impact of Scattered Spider can be mitigated. It is crucial for all industries to stay informed and take proactive measures to protect their systems and data.