Transportation

Scattered Spider strikes again? Aviation industry appears to be next target for criminal group

Hawaiian Airlines announced a cybersecurity incident Friday as security experts warned of a sector-wide threat.

June 27, 2025

Listen to this article

0:00

This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.

The Hawaiian Airlines logo is displayed at a check-in area at Los Angeles International Airport (LAX) on December 4, 2023 in Los Angeles, California. (Photo by Mario Tama/Getty Images)

The aviation industry has seemingly become the latest target of Scattered Spider, a sophisticated cybercriminal group that has shifted its focus from retail and insurance companies to airlines in what cybersecurity experts describe as a coordinated campaign against the sector.

Hawaiian Airlines disclosed a cybersecurity incident Friday affecting some of its IT systems while maintaining that flights continued operating safely and on schedule. The attack, first detected June 23, according to SEC filings, prompted the airline to engage federal authorities and cybersecurity experts for investigation and remediation efforts.

Multiple incident responders have attributed the Hawaiian Airlines attack to Scattered Spider, also known as Muddled Libra or UNC3944. The assessment comes as cybersecurity firms Unit 42 and Mandiant issued warnings about the group’s apparent pivot to targeting aviation companies.

Charles Carmakal, chief technology officer at Mandiant Consulting – Google Cloud, confirmed his company is “aware of multiple incidents in the airline and transportation sector which resemble the operations of UNC3944 or Scattered Spider.” The group has demonstrated a pattern of focusing intensively on single industries before moving to new sectors.

“Given the habit of this actor to focus on a single sector we suggest that the industry take steps immediately to harden systems,” Carmakal stated.

The Hawaiian Airlines incident follows a similar attack earlier this month on WestJet, Canada’s second-largest airline. The Calgary-based carrier experienced intermittent disruptions to its website and mobile application, with systems largely restored after five days.

Cybersecurity experts note that Scattered Spider has maintained consistent tactics across different industry targets. The group typically employs sophisticated social engineering attacks and targets multi-factor authentication systems through fraudulent reset requests.

Sam Rubin, senior vice president of consulting and threat intelligence at Palo Alto Networks’ Unit 42, emphasized that organizations should maintain “high alert for sophisticated and targeted social engineering attacks and suspicious MFA reset requests.”

The group’s methodical approach to targeting specific industries has previously included campaigns against major retail chains and insurance companies, including attacks on Aflac and other prominent insurers.

The coordinated nature of these attacks across multiple airlines suggests a strategic shift by Scattered Spider toward critical infrastructure sectors. The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency have yet to comment on the incidents.