{ "id": "0d8575ba-db6d-4a02-9012-ecf031c99dbf", "created_at": "2026-04-06T00:13:17.70507Z", "updated_at": "2026-04-10T13:12:04.56465Z", "deleted_at": null, "sha1_hash": "f9b3b8915ed972ea7c2993458d70844854f9ceb5", "title": "Scattered Spider hackers shift focus to aviation, transportation firms", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3109190, "plain_text": "Scattered Spider hackers shift focus to aviation, transportation firms\r\nBy Lawrence Abrams\r\nPublished: 2025-06-27 · Archived: 2026-04-05 14:29:47 UTC\r\nHackers associated with \"Scattered Spider\" tactics have expanded their targeting to the aviation and transportation industries\r\nafter previously attacking insurance and retail sectors\r\nThese threat actors have employed a sector-by-sector approach, initially targeting retail companies, such as M\u0026S and Co-op, in the United Kingdom and the United States and subsequently shifting their focus to insurance companies.\r\nWhile the threat actors were not officially named as responsible for insurance sector attacks at first, recent incidents have\r\nimpacted Aflac, Erie Insurance, and Philadelphia Insurance Companies.\r\nhttps://www.bleepingcomputer.com/news/security/scattered-spider-hackers-shift-focus-to-aviation-transportation-firms/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/scattered-spider-hackers-shift-focus-to-aviation-transportation-firms/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nHackers target the aviation industry\r\nOn June 12, Canada's second-largest airline, WestJet, suffered a cyberattack that briefly disrupted the company's internal\r\nservices and mobile app.\r\nSoon after the breach, sources told BleepingComputer that Palo Alto Networks and Microsoft were assisting in the response\r\nto the attack.\r\nThe attack was attributed to Scattered Spider, who allegedly compromised the company's data centers and its Microsoft\r\nCloud environment.\r\nBleepingComputer was informed that the threat actor gained access by performing a self-service password reset for an\r\nemployee, which enabled them to register their own MFA and obtain remote access to the network through Citrix.\r\nWhile other threat actors conduct identity attacks, Scattered Spider has become associated with this tactic due to their\r\nregular targeting of help desks and password and MFA infrastructure.\r\nToday, Hawaiian Airlines also disclosed that they suffered a cyberattack but did not provide any details that could indicate\r\nwho was behind the attack. However, a source told BleepingComputer that it is believed that the same threat actors are\r\nresponsible.\r\nPalo Alto Networks' Sam Rubin, SVP of Consulting and Threat Intelligence, has now confirmed on LinkedIn that Scattered\r\nSpider has begun targeting the aviation industry.\r\n\"Unit 42 has observed Muddled Libra (also known as Scattered Spider) targeting the aviation industry,\" warned Rubin.\r\n\"Organizations should be on high alert for sophisticated and targeted social engineering attacks and suspicious MFA reset\r\nrequests.\"\r\nMandiant's Charles Carmakal also warned that the threat actors have now switched their focus to both the aviation and\r\ntransportation sectors.\r\n\"ALERT: Scattered Spider has added North American airline and transportation organizations to their target list,\" Carmakal\r\nposted to LinkedIn.\r\n\"Mandiant (part of Google Cloud) is aware of multiple incidents in the airline and transportation sector which resemble the\r\noperations of UNC3944 or Scattered Spider.\r\n\"We recommend that the industry immediately take steps to tighten up their help desk identity verification processes prior to\r\nadding new phone numbers to employee/contractor accounts (which can be used by the threat actor to perform self-service\r\npassword resets), reset passwords, add devices to MFA solutions, or provide employee information (e.g. employee IDs) that\r\ncould be used for a subsequent social engineering attacks.\"\r\nAmerican Airlines is also currently suffering an IT outage but it is unclear if it is a security incident. BleepingComputer\r\ncontacted the airline but has not received a response.\r\nWhat is Scattered Spider\r\nScattered Spider, also known as 0ktapus, Starfraud, UNC3944, Scatter Swine, Octo Tempest, and Muddled Libra, is a\r\nclassification of threat actors that are adept at using social engineering attacks, phishing, multi-factor authentication (MFA)\r\nbombing (targeted MFA fatigue), and SIM swapping to gain initial network access on large organizations.\r\nThese threat actors include young English-speaking people with diverse skill sets who frequent the same hacker forums,\r\nTelegram channels, and Discord servers. These mediums are then used to plan and execute attacks in real time.\r\nSome are believed to be part of the \"Com\" - a loose-knit community of threat actors known for financial fraud,\r\ncryptocurrency theft, data breaches, and extortion attacks.\r\nhttps://www.bleepingcomputer.com/news/security/scattered-spider-hackers-shift-focus-to-aviation-transportation-firms/\r\nPage 3 of 4\n\nWhile Scattered Spider is commonly referred to as a cohesive gang, it is actually used to denote threat actors who utilize\r\nspecific tactics when conducting attacks. As attacks associated with Scattered Spider tactics are also commonly used by\r\ndifferent individuals from a loose network of threat actors, it makes it difficult to track them.\r\nUnlike many other English-speaking threat actors, those associated with \"Scattered Spider\" have been known to partner with\r\nRussian-speaking ransomware gangs, such as BlackCat, RansomHub, Qilin, and DragonForce.\r\nOther attacks linked to Scattered Spider include those on MGM, Marks \u0026 Spencer, Co-op, Twilio, Coinbase, DoorDash, Caesars, MailChimp, Riot Games, and Reddit.\r\nOrganizations defending against this type of threat actor should start with gaining complete visibility across the entire\r\ninfrastructure, identity systems, and critical management services.\r\nThis includes securing self-service password reset platforms and help desks, common targets of these threat actors.\r\nBoth Google Threat Intelligence Group (GTIG) and Palo Alto Networks have released guides on hardening defenses against\r\nthe known \"Scattered Spider\" tactics used by these threat actors.\r\nAll admins are advised to familiarize themselves with these tips and harden their identity platforms and processes.\r\nUpdate 6/27/25: Added that American Airlines is currently suffering from an IT outage.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/scattered-spider-hackers-shift-focus-to-aviation-transportation-firms/\r\nhttps://www.bleepingcomputer.com/news/security/scattered-spider-hackers-shift-focus-to-aviation-transportation-firms/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/scattered-spider-hackers-shift-focus-to-aviation-transportation-firms/" ], "report_names": [ "scattered-spider-hackers-shift-focus-to-aviation-transportation-firms" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "6608b798-f92b-42af-a93f-d72800eeb3a3", "created_at": "2023-11-30T02:00:07.292Z", "updated_at": "2026-04-10T02:00:03.482199Z", "deleted_at": null, "main_name": "DragonForce", "aliases": [], "source_name": "MISPGALAXY:DragonForce", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758", "created_at": "2025-07-24T02:05:00.538379Z", "updated_at": "2026-04-10T02:00:03.657424Z", "deleted_at": null, "main_name": "GOLD FLAME", "aliases": [ "DragonForce" ], "source_name": "Secureworks:GOLD FLAME", "tools": [ "ADFind", "AnyDesk", "Cobalt Strike", "FileSeek", "Mimikatz", "SoftPerfect Network Scanner", "SystemBC", "socks.exe" ], "source_id": "Secureworks", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434397, "ts_updated_at": 1775826724, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f9b3b8915ed972ea7c2993458d70844854f9ceb5.pdf", "text": "https://archive.orkl.eu/f9b3b8915ed972ea7c2993458d70844854f9ceb5.txt", "img": "https://archive.orkl.eu/f9b3b8915ed972ea7c2993458d70844854f9ceb5.jpg" } }