Industries

industries

  • Cyber Hub

    Cyber Hub

    Discover the latest threat intelligence

Case Studies

About us

  • We are Adarma

    We are Adarma

    Your partner for effective cyber threat management

  • ESG

    ESG

    Enabling a safer and more sustainable digital future

  • Our Partners

    Our Partners

    Working in partnership to make the world a safer place

Insights

  • Cyber Hub
    globe

    Cyber Hub

    Discover all the latest insights

  • News & Blog
    newspaper

    News & Blog

    Read all the latest news from our experts

  • Cyber Insiders
    microphone

    Cyber Insiders

    Listen to our Cyber Insiders podcast and read the magazine

  • Events
    calendar-dots

    Events

    Connect with our experts

Share:
July 3, 2025

Scattered Spider Targets Aviation and Insurance: What You Need to Know

Written by Connor Hughes, Threat Specialist at Adarma 

On 26 June, the FBI issued a warning about a renewed and expanding threat from the hacker group Scattered Spider. The group recently gained notoriety for a string of ransomware attacks on major UK retailers.

According to the FBI and other threat intelligence sources, the group has now shifted its focus from retail to two new industries: insurance and aviation. 

The FBI wrote in a message on X, formerly Twitter: “They [Scattered Spider] target large corporations and their third-party IT providers, which means anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk.” 

Insurance and Aviation Companies Warned to Be on Their Guard

The insurance sector was among the first to report suspicious cyber intrusions consistent with the group’s known tactics, and now similar incidents are emerging in the aviation industry.

Google’s Threat Intelligence Group (GTIG) reported that it had observed multiple cyber intrusions in the US insurance sector that bear the hallmarks of a Scattered Spider attack.

“We are now seeing incidents in the insurance industry,” said GTIG’s Chief Analyst, John Hultquist. “Given this actor’s history of focusing on one sector at a time, the insurance industry should be on high alert, especially for social engineering schemes targeting help desks and call centres.”

Several major insurers in the US have recently disclosed serious disruptions. Erie Insurance experienced a full network outage starting on 8 June. Philadelphia Insurance Companies reported a similar outage days later and confirmed unauthorised access to its systems. Its parent company, Tokio Marine, is also investigating suspicious activity across its wider network.

More recently, signs of activity have begun to surface in the aviation sector. Multiple airlines have reported cyber incidents that align with Scattered Spider’s tactics. Qantas has confirmed it is investigating a recent cyber-attack and is examining whether Scattered Spider were responsible. The breach reportedly stemmed from a vishing attack, in which a call centre employee was deceived into granting access to an unauthorised party.

This follows similar disclosures from other carriers. Hawaiian Airlines announced it had experienced a cybersecurity event, while WestJet, a Canadian airline, reported a separate incident on 13 June 2025.

Although no organisations have officially confirmed Scattered Spider’s involvement, the timing and methods suggest the group may be widening its scope to include critical sectors beyond retail.

Techniques Used: Social Engineering and MFA Bypass

Scattered Spiders success stems from their ability to exploit human behaviour. Key tactics include: 

  • Social Engineering: Targeting IT help desk and privileged users through sophisticated phone-based attacks and impersonation 
  • SIM Swapping and Phone-Based Credential Theft: Compromising mobile phone accounts to bypass SMS-based MFA 

Scattered Spider operators typically possess personally identifiable information of their victims, such as the last four digits of social security numbers, dates of birth, and manager names, which are often required to bypass help desk verification processes.   

This approach allows them to request password and/or MFA resets and breach systems without exploiting software vulnerabilities or deploying malware. This is a stark reminder that social engineering remains one of the most effective paths to compromise. 

Recommendations from Adarma

To help defend against the tactics used by Scattered Spider, Adarma recommends the following actions: 

  • Use phishing-resistant MFA (avoid SMS-based options), restrict the use of privileged accounts, and enforce the principle of least privilege across Active Directory 
  • Strengthen help desk procedures for password resets and MFA enrolment, with clear identity verification protocols, and train employees and support staff to recognise social engineering attempts 
  • Review and restrict third-party access, and secure all externally facing systems 
  • Adopt a layered security strategy with endpoint detection and response, SIEM monitoring, network segmentation, and strict account lockout policies after a small number of failed login attempts 
  • Detect or block unauthorised remote access tools (e.g. TeamViewer, AnyDesk), and regularly monitor for unauthorised Remote Desktop Protocol usage 
  • Maintain regularly tested offline backups of critical data 
  • Patch operating systems, firmware, and internet-facing services promptly, and treat ESXi servers as critical assets by enforcing strong access control, patching, and vulnerability management 

 

 

Contact Us