When the Federal Bureau of Investigation (FBI) sounds the alarm on cybersecurity, organizations should take immediate notice. The latest urgent warning involves the notorious Scattered Spider group, which has already made headlines for attacking major retailers such as Marks & Spencer in the U.K.—a breach estimated to have cost the company upwards of $600 million.
According to the FBI, this cybercriminal organization is now turning its focus to the airline sector, targeting companies both directly and by infiltrating their supply chains. A recent June 26 report by Halcyon ransomware analysts indicated Scattered Spider had expanded operations into the Food, Manufacturing, and Transportation sectors, especially Aviation. The FBI confirmed this, stating via email:
“The FBI has recently observed the cybercriminal group Scattered Spider expanding its targeting to include the airline sector.”
The agency also posted this statement on X, formerly Twitter, highlighting that the attackers use consistent tactics—namely social engineering. Scattered Spider often impersonates employees or contractors to manipulate IT help desks into granting unauthorized access. Their ultimate goal is to sidestep multi-factor authentication (MFA) by convincing support staff to register fraudulent MFA devices to compromised accounts.
This threat group has been on law enforcement radar for years. In 2023, the FBI and the Cybersecurity and Infrastructure Security Agency issued a joint advisory after Scattered Spider activity against commercial facilities escalated. Authorities are now working closely with aviation companies to counter this surge in attacks and assist any impacted organizations. The FBI urges anyone who suspects their business has been targeted to contact their local office without delay.
Meanwhile, the Reliaquest Threat Research Team has published a detailed profile of Scattered Spider, emphasizing that 81% of the group’s domains impersonate technology vendors. Their preferred victims are executives and system administrators with high-level credentials. Reliaquest reports that the attackers leverage sophisticated phishing frameworks such as Evilginx and even conduct video calls to deceive targets in industries like finance, technology, and retail.
“Through strategic alliances with major ransomware operators ALPHV, RansomHub, and DragonForce…”
Scattered Spider has gained access to sophisticated tools and techniques, many of which originate from Russia-aligned and English-speaking threat actors. This collaboration has enabled the group to launch highly convincing impersonation campaigns targeting Western organizations.
Social Engineering with a Scripted Edge
To execute these campaigns more effectively, Scattered Spider actively recruits skilled social engineers. Their criteria are precise: candidates must speak native or regionally neutral English and be available during Western business hours. These operators are then equipped with:
Detailed call scripts tailored to the organization being targeted.
Real-time coaching, where a “curator” provides live guidance to handle unexpected situations during calls.
Reliaquest also noted that the group deliberately avoids targeting entities in Russia and the Commonwealth of Independent States, suggesting both geopolitical awareness and operational discipline.
Future Threat: AI-Enhanced Social Engineering
Looking ahead, Reliaquest warns that Scattered Spider is likely to adopt AI tools to further automate and scale their trust-based attacks.
While the FBI’s recent alert focused on threats to the transportation and aviation sectors, other industries are already feeling the impact. John Hultquist, Chief Analyst at Google Threat Intelligence Group, confirmed:
“We are aware of multiple intrusions in the U.S. that bear all the hallmarks of Scattered Spider activity.”
The insurance sector has emerged as a prominent new target. Jon Abbott, CEO of ThreatAware, emphasized:
“The rising tide of attacks on U.S. insurers is a serious threat that should not be underestimated.”
However, he also cautioned that this trend is not limited to insurers; organizations across all industries should take it as a warning.
Supply Chain Weakness: The Common Denominator
Many of these incidents share a dangerous pattern: attackers first compromise a smaller vendor or partner, then use that access to pivot into larger, more valuable targets.
Richard Orange, Vice President at Abnormal AI, echoed the FBI’s concerns:
“This group relies on social engineering rather than technical exploits.”
By posing as trusted contacts, attackers manipulate employees into granting access—allowing them to move laterally across networks, harvest credentials, and breach other departments or third-party systems.
Security First: Verify Every Request
Organisations are strongly advised to:
- Scrutinise all requests for changes to multi-factor authentication (MFA) settings.
- Enforce strict identity verification procedures, regardless of how convincing the caller may seem.
- In this evolving threat landscape, vigilance remains the strongest defense.
