Scattered Spider, Muddled Libra: Why hackers are so keen to target airlines
Over the past week, several organisations have raised red flags warning the aviation sector of the potential for cybersecurity incidents. Hackers are thought to be targeting airlines in particular, following similar sector-specific attacks in the past.
With Qantas left reeling from a hack that exposed the data of an estimated six million customers, AGN asks the experts why airlines are now the target for these groups, and what they can do to stay safe.
Why are hackers targeting airlines?
Hackers are increasingly targeting airlines because the sector is both high value and highly vulnerable.
Airlines manage vast amounts of data, from personal details of passengers to payment information and data on crew. This makes them a particularly attractive target both for ransomware attacks and for identity theft.
“Aerospace organizations are attractive targets because of their operational complexity and high sensitivity to downtime,” Sam Rubin, SVP, Consulting and Threat Intelligence at Unit 42 for Palo Alto Networks tells AGN.
“Attackers understand that even brief disruptions can have far-reaching consequences—financial, logistical, and reputational. This urgency often pressures companies to act quickly, making them more vulnerable to ransom demands.”
The interconnected nature of aviation means airlines are often reliant on a patchwork of IT systems and infrastructure, as well as using third-party vendors for things like customer service and IT support.
This leaves airlines particularly vulnerable to attack. Hackers don’t need to bring down an aircraft to cause operational chaos and long-lasting reputational damage.
Should airlines be concerned about hacks right now?
According to Rubin, airlines should absolutely be worried about being the fresh targets for sophisticated hacks.
The hacking group of most concern is known by Mandiant, a leading US cybersecurity services firm, as Scattered Spider. Sam Rubin’s team at Palo Alto Networks’ Unit 42 call them Muddled Libra. The group is also referred to by other names, including UNC3944 and Octo Tempest.
Below is a table of the attacks Scattered Spider are known or thought to be responsible for:
| Date / Period | Target | Sector | Consequence / Impact |
|---|---|---|---|
| Sept 2023 (early) | Caesars Entertainment | Casinos | Data breach; ransom ~US $15M (paid); customer ID info stolen |
| Sept 11, 2023 | MGM Resorts International | Casinos | Systems crippled for ~36 hrs; ~$100–110M in losses; Okta/Azure environment breached |
| Early 2024 | Various US firms (e.g. Snowflake customers) | Tech & Cloud | Data extortion across ~100 organisations, incl. Ticketmaster, AT&T |
| Apr–May 2025 | M&S, Co‑op, Harrods (UK) | Retail | DragonForce ransomware; M&S lost ~£300M profit; data theft and loss of services |
| Jun 2025 | U.S. insurance firms (e.g. Aflac) | Insurance | Ransomware/data theft; broad insurance sector targeting |
| Jun–Jul 2025 | Hawaiian Airlines, WestJet, Qantas | Aviation | IT systems disrupted; PII/frequent flyer data accessed (no safety impact reported) |
“Unit 42 has responded to a wave of high-impact attacks this year—not only in aerospace, but across financial services, telecom, retail, and insurance,” Rubin says. “Targeting the airline industry ahead of the busy Fourth of July holiday, when millions of travellers are on the move, underscores just how opportunistic and disruptive this group aims to be.”
Scattered Spider has a habit of infiltrating one type of organisation, then targeting several others in the sector. In 2023, it targeted casinos including MGM and Caesars. Earlier this year, it crippled the UK high street with hacks on Marks & Spencers and the Co-op.
The group is believed to be behind hacks on Hawaiian Airlines and WestJet, and the Qantas hack is said to have all the hallmarks of a Scattered Spider / Muddled Libra attack.
“Muddled Libra is known to target industries in clusters, using insights from one breach to inform the next,” Rubin explains. “That pattern is why we issued a warning to the aviation sector. Once this group turns its focus to a new sector, follow-on attacks tend to cascade.”
How are hackers infiltrating airlines?
Scattered Spider uses a method of infiltration hacking watchdogs call ‘scoail engineering.’ This involves impersonating employees via help desks and IT support in order to bypass authentication controls.
Using freely available information such as LinkedIn profiles or corporate press releases, members of the group convincingly pose as a staff member. They’ll attempt to pressure support teams with urgent language, such as ‘Flight 902 is waiting to depart and I’m locked out of my tablet.’
The group has even been known to use AI generated voices or deepfake video calls to mimic the person.
Once they gain the trust of the operator, they’ll convince the help desk to reset passwords or enrol new devices for multi-factor identification. This bypasses standard security entirely.
“With so many stakeholders and systems in play, a single lapse—like a convincing phone call to a busy help desk—can compromise an entire operation,” Rubins warns. “Social engineering thrives in these high-pressure environments, which is why consistent employee vigilance and robust verification protocols are critical to defence.”
Why these types of airline hacks are so difficult to stop
Scattered Spider are something of an anomaly in the hacking world. While most cybercrime gangs originate from Russia, China or Eastern Europe, Scattered Spider is through to be made up of young, native English speakers based in the US and UK.
This makes their phone and email impersonations convincing, particularly when dealing with English speaking help desks. They understand workflows, know the industry slang and can be very persuasive when attempting to gain access.
Because these hackers don’t need to break into IT systems in the traditional way, they’re a very difficult problem to deal with. No amount of firewalls or encryption can prevent a contact centre worker from unknowingly giving access to a malicious caller.
How can airlines protect themselves from hacks?
Because this is not an IT issue, there’s no quick fix to prevent a hack. Airlines must focus on tightening their security and identification protocols if they are to avoid being infiltrated.
“The most effective step companies can take is to strengthen their people defences,” says Rubin. “This means clearly defined identity verification procedures, regular training, and empowering employees and support teams to recognise and report suspicious activity.”
Since the IT help desk is a common point of entry, airlines need to lock down the access through this door. This could mean requiring multiple verification steps before ay MFA reset or password change, or integrating biometric ID checks for high-risk accounts.
Strengthening protocols can help too, such as using phishing resistant MFA, moving away from legacy protocols like 2FA and ensuring staff only have the access they need, and only for as long as they need it.
The most important focus area for airline hack avoidance is people power. Raising awareness through training or workshops and implementing a zero-blame reporting culture can strengthen that first line of defence and stop a hack before it starts.
“Building awareness and tightening processes can go a long way in preventing these types of attacks,” Rubin concludes.
