The U.S. Federal Bureau of Investigation (FBI) has revealed that it has observed the notorious cybercrime group Scattered Spider broadening its targeting footprint to strike the airline sector.
To that end, the agency said it’s actively working with aviation and industry partners to combat the activity and help victims.
“These actors rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access,” the FBI said in a post on X. “These techniques frequently involve methods to bypass multi-factor authentication (MFA), such as convincing help desk services to add unauthorized MFA devices to compromised accounts.”
Scattered Spider attacks are also known to target third-party IT providers to obtain access to large organizations, putting trusted vendors and contractors at risk of potential attacks. The attacks typically pave the way for data theft, extortion, and ransomware.
In a statement shared on LinkedIn, Palo Alto Networks Unit 42’s Sam Rubin confirmed the threat actor’s attacks against the aviation industry, urging organizations to be on “high alert” for advanced social engineering attempts and suspicious multi-factor authentication (MFA) reset requests
Google-owned Mandiant, which recently warned of Scattered Spider’s targeting of the U.S. insurance sector, also echoed the warning, stating it’s aware of multiple incidents in the airline and transportation verticals that resemble the modus operandi of the hacking crew.
“We recommend that the industry immediately take steps to tighten up their help desk identity verification processes prior to adding new phone numbers to employee/contractor accounts (which can be used by the threat actor to perform self-service password resets), reset passwords, add devices to MFA solutions, or provide employee information (e.g. employee IDs) that could be used for a subsequent social engineering attacks,” Mandiant’s Charles Carmakal said.
One reason Scattered Spider continues to succeed is how well it understands human workflows. Even when technical defenses like MFA are in place, the group focuses on the people behind the systems—knowing that help desk staff, like anyone else, can be caught off guard by a convincing story.
This isn’t about brute-force hacking; it’s about building trust just long enough to sneak in. And when time is short or pressure is high, it’s easy to see how a fake employee request could slip through. That’s why organizations should look beyond traditional endpoint security and rethink how identity verification happens in real time.
The activity tracked as Scattered Spider overlaps with threat clusters such as Muddled Libra, Octo Tempest, Oktapus, Scatter Swine, Star Fraud, and UNC3944. The group, originally known for its SIM swapping attacks, counts social engineering, helpdesk phishing, and insider access among its roster of initial access techniques to penetrate hybrid environments.
“Scattered Spider represents a major evolution in ransomware risk, combining deep social engineering, layered technical sophistication, and rapid double‑extortion capabilities,” Halcyon said. “In a matter of hours, the group can breach, establish persistent access, harvest sensitive data, disable recovery mechanisms, and detonate ransomware across both on‑premises and cloud environments.”
What makes this group especially dangerous is its mix of patient planning and sudden escalation. Scattered Spider doesn’t just rely on stolen credentials—it spends time gathering intel on its targets, often combining social media research with public breach data to impersonate people with scary accuracy. This kind of hybrid threat, blending business email compromise (BEC) techniques with cloud infrastructure sabotage, can fly under the radar until it’s too late.
Scattered Spider is part of an amorphous collective called the Com (aka Comm), which also counts other groups like LAPSUS$. It’s assessed to be active at least since 2021.
“This group evolved in the Discord and Telegram communication platforms, drawing in members from diverse backgrounds and interests,” Unit 42 said. “The loose-knit and fluid nature of this group makes it inherently difficult to disrupt.”
In a report published Friday, ReliaQuest detailed how Scattered Spider actors breached an unnamed organization late last month by targeting its chief financial officer (CFO), and abused their elevated access to conduct an extremely precise and calculated attack.
The threat actors have been found to carry out extensive reconnaissance to single out high-value individuals, especially impersonating the CFO in a call to the company’s IT help desk and persuading them to reset the MFA device and credentials tied to their account.
The attackers also leveraged the information obtained during reconnaissance to enter the CFO’s date of birth and the last four digits of their Social Security Number (SSN) into the company’s public login portal as part of their login flow, ultimately confirming their employee ID and validating the gathered information.
“Scattered Spider favors C-Suite accounts for two key reasons: They’re often over-privileged, and IT help-desk requests tied to these accounts are typically treated with urgency, increasing the likelihood of successful social engineering,” the company said. “Access to these accounts gives Scattered Spider a pathway into critical systems, making reconnaissance a cornerstone of its tailored attack plans.”
Armed with access to the CFO’s account, Scattered Spider actors performed a series of actions on the target environment that demonstrated its ability to adapt and rapidly escalate their attack –
- Conduct Entra ID enumeration on privileged accounts, privileged groups, and service principals for privilege escalation and persistence
- Perform SharePoint discovery to locate sensitive files and collaborative resources, and gain deeper insights about the organization’s workflows and IT and cloud architectures so as to tailor their attack
- Infiltrate the Horizon Virtual Desktop Infrastructure (VDI) platform using the CFO’s stolen credentials and compromising two additional accounts via social engineering, extract sensitive information, and establish a foothold in the virtual environment
- Breach the organization’s VPN infrastructure to secure uninterrupted remote access to internal resources
- Reinstate previously decommissioned virtual machines (VMs) and create new ones to access the VMware vCenter infrastructure, shut down a virtualized production domain controller, and extract the contents of the NTDS.dit database file
- Use their elevated access to crack open CyberArk password vault and obtain more than 1,400 secrets
- Advance the intrusion further using the privileged accounts, including assigning administrator roles to compromised user accounts
- Use legitimate tools like ngrok to set up persistence to VMs under their control
- Resort to a “scorched-earth” strategy after its presence was detected by the organization’s security team, prioritizing “speed over stealth” to deliberately delete Azure Firewall policy rule collection groups, hampering regular business operations
ReliaQuest also described what was essentially a tug-of-war between the incident response team and the threat actors for the control of the Global Administrator role within the Entra ID tenant, a battle that only ended after Microsoft itself stepped in to restore control over the tenant.
The bigger picture here is that social engineering attacks are no longer just phishing emails—they’ve evolved into full-blown identity threat campaigns, where attackers follow detailed playbooks to bypass every layer of defense. From SIM swapping to vishing and privilege escalation, Scattered Spider shows how quickly attackers can move when the path is clear.
For most companies, the first step isn’t buying new tools—it’s tightening internal processes, especially for things like help desk approvals and account recovery. The more you rely on people for identity decisions, the more important it becomes to train them with real-world examples.
“Scattered Spider’s initial access methods expose a critical weakness in many organizations: Reliance on human-centric workflows for identity verification,” security researchers Alexa Feminella and James Xiang said.
“By weaponizing trust, the group bypassed strong technical defenses and demonstrated how easily attackers can manipulate established processes to achieve their goals. This vulnerability highlights the urgent need for businesses to reevaluate and strengthen ID verification protocols, reducing the risk of human error as a gateway for adversaries.”
