Rampant cybercriminal group targets US airlines

By Sean Lyngaas, CNN

(CNN) — A notorious cybercriminal group has shifted its attention to the aviation industry, successfully breaching the computer networks of multiple airlines in the United States and Canada this month, according to the FBI and private experts responding to the hacks.

The hacking hasn’t affected airline safety, but it has top cyber executives at major airlines across the United States on alert because of the hacking suspects: A network of young cybercriminals called “Scattered Spider” who are known for their aggressive efforts to extort or embarrass their victims.

It’s a fresh headache for the travel industry as the busy summer travel season kicks into high gear. This is now the third major US business sector in the last two months, after insurance and retail, to face a flurry of cyberattacks tied to the criminal group.

The hackers target big companies and their IT contractors, “which means anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk,” the FBI said Friday night in a statement that named Scattered Spider as the perpetrator of the airline hacks. “Once inside (a victim’s network), Scattered Spider actors steal sensitive data for extortion and often deploy ransomware,” the FBI said.

The FBI, the statement continued, “is actively working with aviation and industry partners to address this activity and assist victims.”

Hawaiian Airlines and Canada’s WestJet confirmed this week that they were still assessing the fallout from recent cyberattacks, though the airlines did not name the perpetrators. More victims in the aviation industry could come forward, sources briefed on the investigation said.

WestJet’s issues began two weeks ago, when the airline said it was responding to a “cybersecurity incident” that was affecting access “to some services and software systems,” including its app for customers. Both WestJet and Hawaiian Airlines said their operations were unaffected by the hacks.

The lack of impact on operations at the airlines is “likely a sign of good internal network separations or good business continuity and resiliency planning,” said Aakin Patel, the former chief information security officer of Las Vegas’ main airport.

It is not just the airlines themselves, but other “segments of the aviation ecosystem” that are seeing increased cyberattacks, according to Jeffey Troy, the president of the Aviation ISAC, an industry group for sharing cyber threats. “Our members are keenly alert to attacks from financially motivated attackers and collateral impacts emanating out of geo-political tensions around the world,” Troy said in a statement to CNN.

The fine margins for error in the airline industry were on display Friday, when a separate IT outage, apparently unrelated to malicious cyber activity, caused delays for some American Airlines passengers.

The Scattered Spider hacks have mobilized people across the industry to respond. In-house cybersecurity experts at major airlines have been closely monitoring the situation, sources familiar with the response told CNN, while cybersecurity firms such as Google-owned Mandiant are helping with the recovery and urging airlines to secure their customer service call centers.

One of Scattered Spiders’ preferred methods of infiltrating corporations is calling up help desks and pretending to be employees or customers. The technique has been highly effective for hackers to gain access to the networks of big companies.

“Airlines rely heavily on call centers for a lot of their support needs,” Patel told CNN, making them “a likely target for groups like this.”

Scattered Spider gained attention in September 2023 when they were linked to a pair of multimillion-dollar hacks on Las Vegas casinos and hotels MGM Resorts and Caesars Entertainment. The hackers tend to pick one sector to target for weeks on end. Earlier this month, they were the suspect in a hack of insurance giant Aflac that potentially stole Social Security numbers, insurance claims and health information. Before that, it was the retail sector: The hackers, according to an internal memo obtained by CNN, targeted Ahold Delhaize USA, which has the same parent company as the Giant and Food Lion grocery chains.

“The actor’s core tactics, techniques, and procedures have remained consistent,” Mandiant chief technology officer Charles Carmakal said Friday in a statement, and that it “is aware of multiple incidents in the airline and transportation sector” that resemble the operations of Scattered Spider.

The-CNN-Wire
™ & © 2025 Cable News Network, Inc., a Warner Bros. Discovery Company. All rights reserved.