Scattered Spider’s Expansion into Aviation and Transportation: Active Threats, Immediate Implications for the Defense Industrial Base
In the last 60 days, Scattered Spider—a well-documented cybercriminal group also tracked as UNC3944, Octo Tempest, and 0ktapus—has escalated its targeting of the aviation and transportation sectors. This shift is no longer speculative. It is active, observable, and impactful.
Recent cyberattacks on major North American airlines, including WestJet and Hawaiian Airlines, illustrate a clear change in both the scope and intensity of this group's operations. These are not isolated incidents. They represent a tactical evolution; one that now includes the broader aviation ecosystem: logistics vendors, application service providers, subcontracted IT management firms, and component manufacturers supporting commercial and defense aviation platforms¹.
While the headline breaches focus on Tier 1 brands, the reality is this: attackers are increasingly initiating access through smaller firms integrated into the supply chain. These companies often possess persistent VPN tunnels, federated identity relationships, or administrative access to core operational systems. They may not see themselves as a primary target, but the adversary does.
What’s Changed?
Scattered Spider's behavior has matured. Historically focused on retail and insurance, the group is now pursuing more complex, interdependent targets. This pivot suggests not just a change in targeting, but a broader ambition: to exploit operational dependencies and monetize access to critical infrastructure.
The recent attacks leveraged social engineering and identity manipulation—exploiting weaknesses in help desk procedures and MFA registration flows to obtain credentials and move laterally. In several cases, attackers used public-facing self-service portals to initiate password resets; then enrolled their own authentication mechanisms to complete the takeover.
The attackers understand how these ecosystems function. They understand how access is delegated, how change tickets are processed, and how to impersonate users effectively. They are not breaking in through firewalls; they are being let in through the front door because the door appears legitimate.
Threat Actor Profile: Scattered Spider
Scattered Spider is a decentralized, English-speaking threat collective. Their tactics include SIM swapping, phishing, real-time help desk impersonation, and MFA fatigue attacks. They frequently operate in collaboration with ransomware operations like BlackCat and RansomHub, providing access-as-a-service or supporting extortion after exfiltration² ³.
Their operations are enabled by strong coordination over encrypted platforms like Telegram and Discord. They function more like a startup than a gang—sharing tooling, processes, and access with efficiency.
Their targets increasingly include organizations with persistent access to larger enterprises. Managed service providers, IT subcontractors, and operations support vendors are squarely within scope.
Technical Recommendations and Detection Activities
Organizations with any connection to aviation, transportation, or defense operations should take immediate steps to strengthen the following areas:
- Restrict Self-Service Password Resets: Disable or strictly control self-service workflows for high-privilege users; enforce identity validation steps outside the reset portal.
- Implement Conditional Access Policies: Use Entra ID (formerly Azure AD) to define risk-based access controls; restrict sign-ins from unfamiliar IP ranges or unregistered devices.
- Enforce Role-Based Help Desk Controls: Limit the ability to modify MFA, reset credentials, or unlock accounts to a small, audited group of technicians.
- Secure MFA Enrollment: Require in-person or out-of-band verification before MFA methods are updated; log and alert on all MFA registration events.
- Audit Entra ID Logs: Monitor for sign-ins from known proxy services, credential changes outside working hours, and new device registrations.
- Simulate Social Engineering: Regularly test personnel through phishing simulations and voice impersonation scenarios.
-
Prioritize Initial Access Detection:o Multiple MFA prompts in a short windowo Unusual device or location patterns in login telemetryo Repeated access requests to password or identity systems
CorpInfoTech’s Technology Assurance Services (TAS)
- Identity and Access Management: Secure identity lifecycle workflows; enforce privileged identity policies; detect and respond to abnormal usage patterns in real time.
- Behavioral Threat Detection: Identify suspicious patterns based on how users move, request access, or escalate privileges across systems and roles.
- Supply Chain Surface Reduction: Map trusted relationships; evaluate third-party access paths; reduce risk from unmanaged vendor systems.
- Human Threat Defense: Train employees to recognize impersonation; build cultural resistance to social engineering; implement escalation protocols for anomalous identity activity.
Call to Action
References