FBI Warns of Scattered Spider's Shift to Airline Industry Following Casino Cyber Attacks

The FBI has issued a fresh warning that Scattered Spider—the same cybercrime group responsible for major ransomware attacks against MGM Resorts International and Caesars Entertainment in 2023—is now shifting its focus toward the airline industry.

In a newly released alert, the agency reported a rise in activity from the group specifically targeting airlines, using sophisticated social engineering tactics to manipulate employees and gain unauthorized access to confidential data.

“These actors rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access,” the FBI stated. “These techniques frequently involve methods to bypass multi-factor authentication (MFA), such as convincing help desk services to add unauthorized MFA devices to compromised accounts.”

The Bureau confirmed it is actively collaborating with airlines and industry partners to “address this activity and assist victims.” Additionally, the FBI strongly encouraged any organization that suspects it has been targeted or compromised to promptly reach out to law enforcement authorities.

Scattered Spider appears to be recycling its previous methods of infiltration, which proved effective during last year’s high-profile breaches in the casino industry. In those incidents, the hackers infiltrated internal systems, accessed sensitive customer information, and used extortion tactics to pressure companies into paying ransom demands. In the case of Caesars Entertainment, the company reportedly paid a $15 million ransom to Scattered Spider in exchange for silence. MGM Resorts, however, chose not to meet the demands, leading to a widespread IT outage that disrupted operations across its U.S. properties.

MGM’s refusal resulted in severe consequences, including an estimated $100 million loss in third-quarter earnings for 2023 and an additional $10 million in one-time expenses. In the wake of these incidents, the FBI has reiterated its stance that victims of ransomware should not give in to ransom demands, warning that “payments encourage the bad actors to infiltrate other companies.”

While specific airlines have not publicly confirmed being breached by Scattered Spider, there have been recent signs of possible cyber intrusions within the sector. Canadian carrier WestJet and Hawaiian Airlines both reported cyberattacks in recent months. Delta Airlines also took preventive action by urging its customers to reset their passwords and security credentials.

Airlines are attractive targets for cybercriminals due to the sheer volume of sensitive personal information they collect and store, including passenger names, home addresses, and government-issued ID numbers like driver’s licenses and passports. This kind of data is particularly lucrative on the dark web and can cause severe reputational and financial damage when mishandled.

“Scattered Spider is a cybercriminal group that targets large companies and their contracted information technology (IT) help desks,” the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) noted. “Scattered Spider threat actors, per trusted third parties, have typically engaged in data theft for extortion and have also been known to utilize BlackCat/ALPHV ransomware alongside their tactics, techniques, and procedures (TTPs).”

Experts believe that if Scattered Spider is behind the recent wave of airline cyber incidents, it’s an expected evolution in the group’s operational strategy. With a proven playbook and a reputation for manipulating IT service structures, the group is continuing to capitalize on industries that handle large volumes of critical customer data—and are willing to pay to protect it. 

By fLEXI tEAM