Scattered Spider Targets Aviation and Insurance: What You Need to Know
Written by Connor Hughes, Threat Specialist at Adarma
On 26 June 2025, the FBI issued a warning about a renewed and expanding threat from the financially motivated cybercriminal group known as Scattered Spider. Already known for high-profile ransomware attacks across retail and telecoms, the group has now turned its attention to two new industries with significant public impact: aviation and insurance.
A Shift in Focus: From Retail to Critical Consumer Sectors
Scattered Spider has made headlines for their use of social engineering tactics, particularly impersonating employees to gain access to internal systems and bypassing multi-factor authentication (MFA). These techniques are now being deployed against aviation companies and insurance providers, broadening the group’s reach and impact.
According to the FBI and other threat intelligence sources, Scattered Spider are actively targeting not only airlines but also the supply chain partners that support the aviation industry.
The FBI wrote in a message on X, formerly Twitter: “They [Scattered Spider] target large corporations and their third-party IT providers, which means anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk.”
In recent weeks, multiple airlines have reported cyber incidents that align with Scattered Spider’s known tactics. Qantas has confirmed it is investigating a recent cyber-attack and is looking into whether Scattered Spider were responsible. According to the airline, the breach stemmed from a vishing attack, in which a call centre employee was deceived over the phone into granting access to an unauthorised party.
This follows similar disclosures from other carriers. Hawaiian Airlines recently announced it had experienced a cybersecurity event, while WestJet, a Canadian airline, reported a separate incident on 13 June 2025. These developments closely follow the FBI’s advisory and may indicate a broader, coordinated campaign targeting the global airline sector.
This escalation poses risks that go beyond corporate data breaches and could directly affect passengers, operations, and public trust.
Why the Aviation Sector?
The aviation industry is a high-value target. Airlines manage large volumes of personal and financial data and rely on interconnected digital infrastructure to support flight operations, bookings, and customer services.
Scattered Spider’s attacks could lead to:
- Breaches of passenger data, including passports and payment details
- Operational disruption, including flight delays or cancellations
- Ransomware attacks on critical systems or suppliers
Attacks on the Insurance Sector
In parallel with aviation, the group are now focusing on the insurance sector. This includes companies handling travel insurance, health coverage, and personal financial protection.
The risks include:
- Identity theft from stolen personal or policyholder data
- Disruption to claims services during ransomware incidents
Techniques Used: Social Engineering and MFA Bypass
Scattered Spider’s success stems from their ability to exploit human behaviour. Key tactics include:
- Social Engineering: Targeting IT help desk and privileged users through sophisticated phone-based attacks and impersonation
- SIM Swapping and Phone-Based Credential Theft: Compromising mobile phone accounts to bypass SMS-based MFA
Scattered Spider operators typically possess personally identifiable information of their victims, such as the last four digits of social security numbers, dates of birth, and manager names, which are often required to bypass help desk verification processes.
This approach allows them to request password and/or MFA resets and breach systems without exploiting software vulnerabilities or deploying malware. This is a stark reminder that social engineering remains one of the most effective paths to compromise.
Government and Industry Response
The FBI is collaborating with the Cybersecurity and Infrastructure Security Agency(CISA) and private sector partners to mitigate the threat. These efforts include sharing indicators of compromise, issuing guidance, and encouraging resilience in at-risk sectors.
However, the FBI recommends that public and private organisations take steps to review their defences and reduce their exposure.
Recommendations from Adarma
To help defend against the tactics used by Scattered Spider, Adarma recommends the following actions:
- Use phishing-resistant MFA (avoid SMS-based options), restrict the use of privileged accounts, and enforce the principle of least privilege across Active Directory
- Strengthen help desk procedures for password resets and MFA enrolment, with clear identity verification protocols, and train employees and support staff to recognise social engineering attempts
- Review and restrict third-party access, and secure all externally facing systems
- Adopt a layered security strategy with endpoint detection and response (EDR), SIEM monitoring, network segmentation, and strict account lockout policies after a small number of failed login attempts
- Detect or block unauthorised remote access tools (e.g. TeamViewer, AnyDesk), and regularly monitor for unauthorised Remote Desktop Protocol (RDP) usage
- Maintain regularly tested offline backups of critical data
- Patch operating systems, firmware, and internet-facing services promptly, and treat ESXi servers as critical assets by enforcing strong access control, patching, and vulnerability management