The Federal Bureau of Investigation (FBI) has sounded the alarm on the expanding activities of a cybercriminal group known as Scattered Spider, now targeting the aviation industry in its latest wave of ransomware attacks.
Already infamous for a string of high-profile attacks—most notably a breach of UK retailer Marks & Spencer, which cost the company hundreds of millions—Scattered Spider is broadening its scope. The group is now turning its attention to the airline sector, both directly and through its supply chains, using advanced social engineering tactics to breach corporate defenses.
FBI Confirms Shift to Aviation Targets
The FBI confirmed that Scattered Spider is actively targeting the airline industry, a move first hinted at in a June 26 threat report by cybersecurity firm Halcyon. That report noted signs of increased interest from the group in sectors like food production, manufacturing, and transportation, with aviation emerging as a key focus.
In an official statement, the FBI revealed that the group continues to rely heavily on social engineering techniques to gain access to sensitive systems. These attackers typically impersonate company employees or contractors, tricking IT help desks into making unauthorized changes—most notably, adding rogue multi-factor authentication (MFA) devices to legitimate user accounts. This allows them to sidestep standard security protocols and gain entry into critical systems.
Persistent Threat with Evolving Tactics
Scattered Spider is not a new name in the world of cybersecurity. The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) had already issued a joint advisory in 2023, warning businesses about the group’s campaigns targeting commercial infrastructure. However, this new shift toward aviation adds a fresh layer of urgency to the threat.
The FBI is now working closely with aviation companies and their partners to contain the threat and help mitigate any breaches. It also encourages businesses that suspect suspicious activity to immediately report incidents to local FBI field offices.
Security teams are being urged to strictly follow established procedures, particularly when dealing with requests related to MFA or access controls. Even seemingly routine requests should be verified thoroughly, the agency warned.
Anatomy of a Scattered Spider Attack
An analysis from the Reliaquest Threat Research Team reveals that Scattered Spider primarily focuses on exploiting human behavior rather than system vulnerabilities. According to the research:
- 81% of spoofed domains used by the group mimic legitimate technology vendors, increasing the likelihood of duping employees.
- Their targets are often high-level personnel, such as system administrators and executives, who hold access to sensitive internal systems.
- The group uses a mix of phishing frameworks, like Evilginx, and sometimes even engages in real-time video calls to make their impersonations more convincing.
These methods allow the group to gain initial access with alarming ease and set the stage for full-scale ransomware attacks.
Collaboration with Global Cybercriminal Networks
Reliaquest’s findings also suggest that Scattered Spider is deeply embedded in the global cybercrime ecosystem. The group has close ties to The Community, a loosely affiliated hacker collective, and works in coordination with several major ransomware groups, including ALPHV, RansomHub, and DragonForce.
Even more troubling is the group’s cooperation with Russia-aligned cyber actors, which has helped them sharpen their impersonation techniques. Reliaquest found that Scattered Spider recruits social engineers who are fluent in English, often without strong regional accents, and who can blend seamlessly into corporate environments. These individuals are trained using detailed scripts and receive live coaching during impersonation attempts, making them especially hard to detect.
Interestingly, these attackers are instructed not to target companies based in Russia or the Commonwealth of Independent States (CIS)—a common pattern seen among Russian-affiliated cybercriminals.
The Human Element: Help Desks as Vulnerable Gateways
One of Scattered Spider’s most effective tools isn’t a piece of malware—it’s the ability to exploit trust. By focusing on help desks, which are typically staffed by personnel trained to assist rather than question, the group bypasses even strong technical defenses.
Reliaquest notes that this blend of technical sophistication and cultural fluency allows attackers to convincingly impersonate employees and navigate internal systems with ease. Because the breach occurs through social interaction, it can often slip past automated security tools undetected.
The Growing Role of AI in Cybercrime
Looking ahead, cybersecurity experts warn that Scattered Spider could soon start using AI-powered tools to further enhance their operations. With artificial intelligence, the group could automate phishing attacks, mimic employee communication styles more convincingly, and scale their operations more efficiently.
Such developments would only increase the pressure on companies to adapt and reinforce their cybersecurity strategies.
What Organizations Can Do Right Now
In light of the threat, the FBI is urging all companies—especially those involved in aviation and critical infrastructure—to stay alert. Key recommendations include:
- Monitoring for unusual MFA activity
- Training help desk and frontline employees to identify social engineering attempts
- Limiting the ability of support staff to make changes without secondary verification
- Maintaining direct lines of communication with law enforcement for rapid response
As cyber threats grow more sophisticated and better funded, traditional defenses may no longer be enough. The emphasis now must be on employee education, process discipline, and quick reporting to contain threats before they escalate.
If your organization believes it has been targeted by Scattered Spider or any similar threat group, report the incident immediately to your local FBI field office or file a complaint through the FBI Internet Crime Complaint Center (IC3).
