{ "id": "8e0e0571-9035-4549-866b-264363d89d40", "created_at": "2026-04-06T00:15:56.598589Z", "updated_at": "2026-04-10T03:31:49.91714Z", "deleted_at": null, "sha1_hash": "7049cba73eddaad9ae5236e1ae3cf92ed3646a4f", "title": "Qantas discloses cyberattack amid Scattered Spider aviation breaches", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1068807, "plain_text": "Qantas discloses cyberattack amid Scattered Spider aviation breaches\r\nBy Lawrence Abrams\r\nPublished: 2025-07-02 ยท Archived: 2026-04-05 12:48:41 UTC\r\nAustralian airline Qantas disclosed that it detected a cyberattack on Monday after threat actors gained access to a third-party\r\nplatform containing customer data.\r\nQantas is Australia's largest airline, operating domestic and international flights across six continents and employing around\r\n24,000 people.\r\nIn a press release issued Monday night, the airline states that the attack has been contained, but a \"significant\" amount of\r\ndata is believed to have been stolen. The breach began after a threat actor targeted a Qantas call centre and gained access to a\r\nthird-party customer servicing platform.\r\nhttps://www.bleepingcomputer.com/news/security/qantas-discloses-cyberattack-amid-scattered-spider-aviation-breaches/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/qantas-discloses-cyberattack-amid-scattered-spider-aviation-breaches/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"On Monday, we detected unusual activity on a third party platform used by a Qantas airline contact centre. We then took\r\nimmediate steps and contained the system. We can confirm all Qantas systems remain secure,\" Qantas stated.\r\n\"There are 6 million customers that have service records in this platform. We are continuing to investigate the proportion of\r\nthe data that has been stolen, though we expect it will be significant. An initial review has confirmed the data includes some\r\ncustomers' names, email addresses, phone numbers, birth dates and frequent flyer numbers.\"\r\nQantas says no credit card or personal financial information was exposed, and frequent flyer account passwords, PINs, and\r\nlogin details were not impacted.\r\nAfter detecting the breach, Qantas says it notified the Australian Cyber Security Centre, the Office of the Australian\r\nInformation Commissioner, and the Australian Federal Police. It's unclear if external cybersecurity experts are assisting with\r\nthe investigation.\r\nScattered Spider attacks target aviation firms\r\nThis attack comes as cybersecurity firms warn that hackers known as \"Scattered Spider\" have begun targeting the aviation\r\nand transportation industries.\r\nWhile it is unclear if this group is behind the Qantas attack, BleepingComputer has learned the incident shares similarities\r\nwith other recent attacks by the threat actors.\r\nScattered Spider (also tracked as 0ktapus, UNC3944, Scatter Swine, Starfraud, and Muddled Libra) is a group of threat\r\nactors known for their conducting social engineering and identity-based attacks against organizations worldwide, commonly\r\nusing phishing, SIM swapping, MFA bombing, and help desk phone calls to gain access to employee credentials.\r\nIn September 2023, they escalated their attacks by breaching MGM Resorts and encrypting over 100 VMware ESXi\r\nhypervisors using BlackCat ransomware after gaining access by impersonating an employee. They've also partnered with\r\nother ransomware operations, such as RansomHub, Qilin, and DragonForce. Other organizations targeted by Scattered\r\nSpider include Twilio, Coinbase, DoorDash, Caesars, MailChimp, Riot Games, and Reddit.\r\nAfter recently focusing on retail and insurance companies, cybersecurity firms warned on Friday that Scattered Spider had\r\nshifted its attention to aviation, with recent attacks on Hawaiian Airlines and WestJet believed to be linked to the threat\r\nactors.\r\nBleepingComputer has learned that in the WestJet breach, threat actors exploited a self-service password reset to gain access\r\nto an employee's account, which was then used to breach the network.\r\nThe threat actors have been employing a sector-by-sector approach to their attacks, and it is unclear if they are done with the\r\naviation sector and what industry will be targeted next.\r\nOrganizations defending against this type of threat should start by gaining complete visibility across the entire infrastructure,\r\nidentity systems, and critical management services.\r\nThis includes securing self-service password reset platforms, help desks, and third-party identity vendors, which have\r\nbecome common targets of these threat actors.\r\nBoth Google Threat Intelligence Group (GTIG) and Palo Alto Networks have released guides on hardening defenses against\r\nthe known \"Scattered Spider\" tactics, which admins should familiarize themselves with.\r\nOther recent cyberattacks believed to be associated with Scattered Spider include M\u0026S, Co-op, Erie Insurance, and Aflac.\r\nhttps://www.bleepingcomputer.com/news/security/qantas-discloses-cyberattack-amid-scattered-spider-aviation-breaches/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/qantas-discloses-cyberattack-amid-scattered-spider-aviation-breaches/\r\nhttps://www.bleepingcomputer.com/news/security/qantas-discloses-cyberattack-amid-scattered-spider-aviation-breaches/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/qantas-discloses-cyberattack-amid-scattered-spider-aviation-breaches/" ], "report_names": [ "qantas-discloses-cyberattack-amid-scattered-spider-aviation-breaches" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "6608b798-f92b-42af-a93f-d72800eeb3a3", "created_at": "2023-11-30T02:00:07.292Z", "updated_at": "2026-04-10T02:00:03.482199Z", "deleted_at": null, "main_name": "DragonForce", "aliases": [], "source_name": "MISPGALAXY:DragonForce", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758", "created_at": "2025-07-24T02:05:00.538379Z", "updated_at": "2026-04-10T02:00:03.657424Z", "deleted_at": null, "main_name": "GOLD FLAME", "aliases": [ "DragonForce" ], "source_name": "Secureworks:GOLD FLAME", "tools": [ "ADFind", "AnyDesk", "Cobalt Strike", "FileSeek", "Mimikatz", "SoftPerfect Network Scanner", "SystemBC", "socks.exe" ], "source_id": "Secureworks", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434556, "ts_updated_at": 1775791909, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7049cba73eddaad9ae5236e1ae3cf92ed3646a4f.pdf", "text": "https://archive.orkl.eu/7049cba73eddaad9ae5236e1ae3cf92ed3646a4f.txt", "img": "https://archive.orkl.eu/7049cba73eddaad9ae5236e1ae3cf92ed3646a4f.jpg" } }