Cybercriminal Group Targets Airline Networks in U.S. and Canada

By: D.D. Reese

A cybercriminal group has recently targeted computer networks within the aviation industry, affecting multiple airlines in the United States and Canada, according to statements from the FBI and cybersecurity experts assisting with the response.

While the breaches have not impacted airline flight operations or safety systems, the incidents have raised concerns among cybersecurity officials, particularly due to the group’s reputation for aggressive tactics. The group, known as “Scattered Spider,” has previously been linked to cyberattacks in other major sectors, including insurance and retail.

According to a public statement issued by the FBI on Friday, the group typically gains unauthorized access to corporate networks, exfiltrates sensitive data, and at times deploys ransomware for extortion purposes. The agency confirmed that it is actively coordinating with aviation stakeholders to manage the current situation and support affected organizations.

Airlines including Hawaiian Airlines and Canada’s WestJet have acknowledged recent cybersecurity incidents but did not name any specific group. Both airlines reported that their core operations were not disrupted and that internal investigations are ongoing.

WestJet first reported a “cybersecurity incident” approximately two weeks ago, which affected access to specific services and software, including its mobile app. Hawaiian Airlines has also stated that they are continuing to assess the scope of the breach.

Experts note that the limited operational impact may be due to strong internal network segmentation and business continuity planning. “This likely reflects good network architecture and resiliency,” said Aakin Patel, a former chief information security officer at a major U.S. airport.

According to the Aviation Information Sharing and Analysis Center (Aviation ISAC), the threat landscape has broadened beyond airlines themselves to other parts of the aviation ecosystem, such as contractors and vendors. Jeffey Troy, the group’s president, emphasized that members remain alert to financially motivated attacks and broader cybersecurity risks tied to global events.

While the airline breaches are under review, the industry also dealt with unrelated technical issues on Friday, when an IT outage affected some passengers at American Airlines. There is no indication that the outage was linked to malicious activity.

Cybersecurity teams at major airlines are closely monitoring the situation, and several are working with external experts, including cybersecurity firm Mandiant, a Google subsidiary, to improve protections, particularly around customer service call centers. One of the techniques reportedly used by the attackers involves impersonating employees to gain access through support channels.

“Call centers are essential to airline support operations and may be vulnerable entry points,” Patel said.

Scattered Spider gained widespread attention in 2023 following high-profile breaches at MGM Resorts and Caesars Entertainment. The group is known to focus on specific industries for extended periods and has recently been linked to incidents involving companies in the insurance and retail sectors.

Mandiant Chief Technology Officer Charles Carmakal confirmed that the group’s approach has remained consistent over time and that several incidents within the airline and broader transportation sectors share characteristics with the group’s known tactics.

Industry response efforts are ongoing, and authorities continue to assess the full scope of the breaches. The FBI encourages organizations within the aviation sector to review their security protocols and report any suspicious activity.