Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Scattered Spider. Show all posts
Scattered Spider
Cyber Attacks DragonForce Marks & Spencer Ransomware Scattered Spider

M&S Cyberattack: Retailer Issues Fresh Warning to Shoppers

 

Marks & Spencer (M&S) suffered a severe cyberattack in April 2025, orchestrated by the ransomware group known as Scattered Spider, with the ransomware called DragonForce. This breach forced M&S to halt all online transactions for nearly six weeks, disrupting its operations during a traditionally strong trading period around Easter. 

The attackers first infiltrated M&S's network through social engineering tactics aimed at a third-party IT helpdesk contractor, Tata Consultancy Services, tricking staff into granting access. This human error allowed the hackers to steal sensitive customer personal data, including names, addresses, emails, phone numbers, birthdates, and order histories, though no payment details or passwords were compromised.

As a result, M&S had to suspend online shopping completely and revert to manual processes for inventory and logistics, which led to empty shelves and disrupted service in many stores. Contactless payments and order collection systems failed at the outset of the incident, adding to customer frustration. M&S publicly apologized and reset all customer passwords on affected accounts as a precaution against subsequent phishing attacks using the stolen data.

Financially, the incident is estimated to have cost M&S approximately £300 million in lost profits, which significantly impacted its half-year results. Despite the disruption, M&S’s revenue during the affected period remained relatively stable, reflecting growth in grocery and clothing/home segments, though online market share was partly lost to competitors like Next. The full impact on profits and sales was to be revealed in M&S’s upcoming financial report.

The cyber attack highlighted vulnerabilities in traditional cybersecurity defenses focused on inbound threats, as the ransomware attack involved a "double extortion" technique where data was exfiltrated before encryption, and legacy tools failed to detect the outbound data theft. Experts suggest that more advanced anti-data exfiltration capabilities could have mitigated damage. M&S is reviewing its cybersecurity posture and continuing to recover operationally while managing costs and store investments moving forward.

M&S shoppers were urged to remain vigilant against phishing scams, as criminals exploit stolen personal data for targeted attacks. The incident underscores the evolving threats retailers face from ransomware and social engineering attacks on supply chains and third-party vendors. Overall, the attack marked a significant challenge for M&S’s digital and retail operations with a wide-reaching customer impact and financial implications.
Read more »
Scattered Spider
Customer Data Data Breach Extortion Group NCA Ransomware Salesforce Scattered Spider

Salesforce Refuses to Pay Extortion Demand After Alleged Theft of Nearly One Billion Records




Salesforce has confirmed it will not pay a ransom to an extortion group that claims to have stolen close to one billion records belonging to several of its customers. The company stated that it will not enter negotiations or make payments to any threat actor, reaffirming its policy of non-engagement with cybercriminals.


Extortion Group Claims to Have Breached Dozens of Salesforce Customers

The group behind the alleged theft calls itself “Scattered LAPSUS$ Hunters”, a name that appears to blend identities from three notorious cyber-extortion collectives: Scattered Spider, LAPSUS$, and ShinyHunters. Cybersecurity firm Mandiant, owned by Google, has been tracking this activity under the identifier UNC6040, though analysts say the group’s exact origins and membership remain unconfirmed.

According to Mandiant’s June report, the campaign began in May, when attackers used voice-based social engineering, or “vishing,” to trick employees at several organizations using Salesforce’s platform. Pretending to represent technical support teams, the callers persuaded employees to connect an attacker-controlled application to their company’s Salesforce environment. Once integrated, the app provided unauthorized access to stored customer data.

Security researchers described the tactic as simple but highly effective, since it relies on human trust rather than exploiting software vulnerabilities. Several organizations unknowingly granted the attackers access, enabling them to exfiltrate vast amounts of data.

Earlier this month, the extortionists created a leak site listing approximately 40 affected Salesforce customers, including large global firms. The site claimed that 989.45 million records had been compromised and demanded that Salesforce begin ransom negotiations “or all your customers’ data will be leaked.” The attackers added that if Salesforce agreed to pay, other victim companies would not be required to do so individually.

Salesforce, however, made its position clear. In a statement to media outlets, a company spokesperson said, “Salesforce will not engage, negotiate with, or pay any extortion demand.” The company also informed customers via email that it had received credible intelligence about plans by ShinyHunters to release the stolen data publicly, but it would still not yield to any ransom demand.


Broader Concerns Over Ransomware Economics

The incident adds to a growing global debate over ransom payments. Analysts say extortion and ransomware attacks persist largely because organizations continue to pay. According to Deepstrike Security, global ransom payments in 2024 reached $813 million, a decline from $1.1 billion in 2023 but still a major incentive for criminal groups.

Experts such as independent security researcher Kevin Beaumont have repeatedly criticized the practice of paying ransoms, arguing that it directly funds organized crime and perpetuates the cycle of attacks. Beaumont noted that while law enforcement agencies like the UK’s National Crime Agency (NCA) publicly discourage payments, some companies still proceed with negotiations, sometimes even with NCA representatives present.


Risks and Lessons for Organizations

Data stolen from cloud-based platforms like Salesforce may include customer identifiers, contact details, transaction histories, and other business records. Even without financial information, such data can be weaponized in phishing, identity theft, or fraud campaigns.

Security professionals advise all organizations using cloud platforms to implement multi-factor authentication, enforce least-privilege access controls, and review all third-party applications connected to their systems. Employees should be trained to verify unexpected support calls or administrative requests through official channels before granting access.

The Salesforce case underscores the growing sophistication of social engineering attacks targeting major enterprise platforms. As digital ecosystems expand, cybercriminals are increasingly exploiting human error rather than software flaws. Salesforce’s refusal to pay marks a firm stance in an era when ransom-driven extortion continues to dominate the threat landscape, sending a strong message to both the cybersecurity community and the attackers themselves.



Read more »
Social Engineering
Cyber Crime Ransom Payment Ransomware Scattered Spider Social Engineering

Teens Arrested Over Scattered Spider’s $115M Hacking Spree

 

Law enforcement authorities in the United States and United Kingdom have arrested two teenagers connected to the notorious Scattered Spider hacking collective, charging them with executing an extensive cybercrime operation that netted over $115 million in ransom payments.

The UK's National Crime Agency arrested 19-year-old Thalha Jubair of East London and 18-year-old Owen Flowers of Walsall, West Midlands, at their homes on Tuesday. Both suspects appeared in London court on Thursday to face charges related to their alleged involvement in a cyberattack against Transport for London (TfL) in August 2024 .

Scale of criminal activity

The US Justice Department has charged Jubair with participating in at least 120 computer network intrusions and extortion attempts targeting 47 US organizations from May 2022 to September 2025. Federal authorities allege these attacks caused victims to pay more than $115 million in ransom payments, with the malicious activities causing significant disruptions to US enterprises, critical infrastructure, and the federal judicial system.

Timeline of offenses

Investigators believe Jubair began his cybercriminal activities at age 14, with the hacking spree spanning from 2022 until last month. Flowers was initially arrested in September 2024 for the TfL attack but was released on bail before being rearrested l. Both suspects had previously been detained in July for data theft incidents targeting UK retailers including Marks & Spencer, Harrods, and Co-op Group.

Scattered Spider distinguishes itself from other cybercriminal organizations through the notably young age of its members and their English-speaking proficiency. The group employs sophisticated social engineering tactics, frequently impersonating IT support personnel to deceive employees into revealing passwords or installing remote access software. Their attacks have disrupted major organizations including MGM Resorts and Caesars Entertainment in Las Vegas during 2023.

Legal consequences 

Jubair faces multiple charges related to computer fraud and money laundering, with prosecutors indicating he could receive a maximum sentence of 95 years in prison if convicted. Investigators linked the breaches to Jubair through evidence showing he managed servers hosting cryptocurrency wallets used for receiving ransom payments. 

Flowers faces additional charges for conspiring to infiltrate and damage networks of US healthcare companies SSM Health Care Corporation and Sutter Health.
Read more »
Scattered Spider
AI news Cyber Attacks cyberattacks trending news malware Scattered Spider

Scattered Spider Targets VMware ESXi Hosts in Rapid, High-Impact Cyber Attacks Across North America

 

A notorious cybercrime group known as Scattered Spider is ramping up sophisticated attacks on VMware ESXi hypervisors, zeroing in on critical infrastructure across North America’s retail, airline, and transportation sectors. Also referred to as 0ktapus, Muddled Libra, Octo Tempest, and UNC3944, the group is renowned for bypassing traditional security measures through elaborate social engineering campaigns rather than exploiting software vulnerabilities. 

In a recent in-depth analysis, Google’s Mandiant unit revealed that the group’s hallmark tactic involves impersonating employees during phone calls to IT help desks. Once initial access is secured, attackers proceed with highly targeted and well-organized operations, focusing on core enterprise systems and sensitive data. "Their campaigns are aggressive, precise, and driven by human engineering more than by code,” noted Mandiant researchers. 

Rather than launching broad opportunistic attacks, Scattered Spider operates with an almost surgical approach. The group frequently mimics legitimate IT infrastructure by registering domain names resembling official portals — including variations like victimname-sso[.]com, victimname-servicedesk[.]com, and sso-victimname[.]com. 

To counter the evolving tactics of groups like Scattered Spider, cybersecurity experts advise a layered and proactive defense strategy. At the infrastructure level, organizations should enable lockdown mode in VMware vSphere, enforce the use of only signed binaries through execInstalledOnly, apply VM encryption, retire outdated virtual machines, and strengthen help desk protocols to prevent social engineering exploits. 

Identity security is equally crucial, companies must implement phishing-resistant multi-factor authentication, segregate critical identity systems, and avoid authentication loops that could be exploited by attackers. 

Additionally, effective monitoring and backup practices are essential. This includes centralizing log collection for better threat visibility, ensuring backups are stored separately from production Active Directory environments, and making them inaccessible to compromised administrators. These measures collectively form a more resilient defense posture, helping organizations detect, contain, and recover from sophisticated intrusion attempts targeting their virtual infrastructure.
Read more »
Scattered Spider
Data Breach Identity Theft Indemnity Insurance philadelphia Scattered Spider

Insurance Provider Reports June Cyber Breach

 


Philadelphia Indemnity Insurance Company has confirmed that customer information was exposed during a cyber incident that occurred in June. The company shared the update through a recent filing with California’s Attorney General, marking the latest in a growing number of attacks targeting the insurance sector.

The breach was traced back to a period between June 9 and June 10, when an unauthorized individual gained access to parts of the company’s systems. Although the incident was initially referred to as a network outage, a closer look revealed that certain personal details belonging to customers had been accessed and stolen.

According to the company’s investigation, which concluded about a month later on July 9, the compromised information included customers’ full names, birth dates, and driver’s license numbers. So far, the company has not revealed how many individuals were affected or who might be responsible for the breach.

Philadelphia Indemnity stated that no ransomware was used, and no files were encrypted during the incident. However, to better understand what happened and assess the damage, the company hired independent cybersecurity experts and reported the situation to law enforcement.

This breach comes at a time when cyberattacks targeting insurance companies appear to be on the rise. Security researchers have recently linked several similar incidents to a known hacking group called "Scattered Spider," although Philadelphia Indemnity has not confirmed any connection to that group in this case.

Other companies in the industry, including Aflac and Erie Insurance, also reported data breaches in June, suggesting a broader trend of insurance providers being targeted.

As of now, Philadelphia Indemnity has not issued a public statement beyond the regulatory filing and did not respond to requests for further comment.

The incident is a wake up call regarding the growing risks in the digital ecosystem and the importance of strong cybersecurity, especially for organizations that manage sensitive personal data. Customers are advised to monitor their accounts for unusual activity and consider taking precautionary steps like credit monitoring or identity theft protection.

Read more »
UNC9344
ALPHV CyberCrime Cybersecurity CyberThreat Financial crime IT Help Desk malware Rasnomware Scattered Spider UNC9344

Scattered Spider Broadens Attack Techniques in Latest Cyber Incidents

 


Known by aliases such as UNC3944, Scatter Swine, and Muddled Libra, Scatter Spider is an extremely persistent and adaptable cybercriminal group focused on financial gain. In the current cyber threat environment, the Scatter Spider group stands out as one of the most persistent and adaptive threat actors. Having been active since May of 2022, the group has built a reputation for targeting high-value organisations in several sectors, including telecommunications, outsourcing companies, cloud providers, and technology companies. 


A deliberate strategy to exploit industries that have large customer bases and complex IT infrastructure has been demonstrated by their focus on expanding further in recent months to include retail giants, financial institutions, and airlines. 

Scattered Spider is known for its sophisticated use of social engineering, specifically utilising the manipulation of IT help desks to gain unauthorised access to enterprise networks. That is why Scattered Spider has become one of the world's leading social engineering firms. As a result of this approach, the group has been able to bypass conventional perimeter defences and move laterally inside victim environments with alarming speed and precision, often without any detection. 

Despite the group's continuous evolution, both in terms of their technical abilities and their operational scope, recent breaches involving large UK retailers and airline companies highlight their continued evolution. A cybersecurity practitioner is strongly advised to gain a deeper understanding of the evolving techniques used by Scattered Spider because their operations are escalating in frequency and impact. 

It is vital to implement proactive defence measures to combat the threat posed by this increasingly sophisticated adversary, including training employees on security risks, implementing rigorous access controls, and monitoring the network continuously. With Scattered Spider, there is a significant shift in the threat landscape since it emphasises identity-based attacks over technical exploits, which represents a disruptive shift in the threat landscape that differs from traditional threat actors who tend to exploit technical vulnerabilities and deploy advanced malware. 

They use social engineering as their main attack vector rather than zero-day vulnerabilities, which means their operations are rooted in human manipulation rather than zero-day vulnerabilities. They typically attack outsourced IT services providers and help desks as their entry points. They usually pose as legitimate employees and exploit routine support workflows by impersonating them. 

With the help of social engineering, Scattered Spider bypasses many conventional security controls and gains privileged access to any network with minimal resistance. Once within a network, Scattered Spider does not rely on complex backdoors or stealthy implants to gain access to the network. By exploiting identity systems, they can move laterally and escalate privileges by utilising legitimate credentials and internal knowledge.

In addition to their ability to mimic internal users, use company-specific jargon and employ familiar tools, they are able to blend seamlessly into normal operations with ease. Despite the fact that it is common for commonly trusted administrative tools like PowerShell, remote monitoring and management (RMM) platforms, and cloud service provider consoles to be misused, detecting these threats can be a challenge. Scattered Spider performs independent attacks regularly.

It has been linked to notorious ransomware collectives such as ALPHV (BlackCat) and DragonForce and often acts as an initial access broker or even the operator of the attack, although their alliances are only opportunistic at best. Throughout their history, the group has demonstrated a willingness to abandon or undermine partners if that would serve their own objectives. This is an unpredictable behaviour that has earned them a reputation for being volatile. In their operations, Scattered Spider has demonstrated agility, resourcefulness, and defiance towards conventional hierarchies, the mindset of a rogue start-up. 

The combination of this unpredictability with their deep knowledge of enterprise environments makes them a formidable adversary that is unique in the industry. As a result of recent developments, Scattered Spider has been increasing its operational reach, which has heightened concerns within the cybersecurity community. In a public statement shared with me via LinkedIn, Sam Rubin, a representative of Palo Alto Networks' Unit 42, confirmed that the threat actor has been actively targeting the aviation sector for some time. 

The expert stressed that organisations, particularly those within critical infrastructure and transportation sectors-have to remain vigilant against sophisticated social engineering campaigns. Specifically, Rubin advised that suspicious requests for multi-factor authentication resets (MFA) were becoming increasingly common among identity-centric intrusion groups, a hallmark of their approach to identity theft. 

Similarly, Google's cybersecurity company Mandiant echoed these concerns as it observed Scattered Spider's activities as well. In response to this, Mandiant also issued a warning. In its recent report, Mandiant highlighted a pattern of attacks affecting airline and transportation companies in the U.S., as well asthe  recent targeting of companies within the U.S. insurance industry. 

As the firm says, the numerous incidents of this group closely align with its established method of operation, particularly in terms of impersonation, identity abuse, and exploitation of IT support workflows, which are all part of the group's established modus operandi. It is clear that Scattered Spider is continuing to broaden its attack surface and has increasingly targeted industries that handle large amounts of personal and financial data, as well as those that have intricate supply chains and third-party dependents that need to manage large amounts of sensitive data. 

In late June of 2025, Scattered Spider demonstrated an even more dramatic strategic shift as it aggressively focused its efforts on the global aviation industry. In a matter of hours, what seemed like isolated and unconfirmed cyberattacks on a few airlines quickly escalated into a coordinated series of cyberattacks that had global repercussions. 

A report issued by the Federal Bureau of Investigation (FBI) confirmed that the Scattered Spider was targeting major airline operators as well as the general public in an official advisory. This alert occurred at a time when two prominent Canadian carriers, WestJet, as well as Hawaiian Airlines, experienced disruptions caused by suspected cyberattacks, both of which experienced service interruptions as a result of these cyberattacks. 

Additionally, Australia’s flagship airline, Qantas, also recently reported a significant security breach that was allegedly perpetrated by a third-party service provider. One of the systems compromised was the call centre platform used to handle customer service, highlighting a recurring pattern in Scattered Spider's operations: exploiting the weakest links in the supply chain to achieve its objectives. 

Approximately 6 million Qantas passengers' sensitive data was accessed by hacker groups, including their full names, contact information, birth dates, and frequent flyer numbers, and was exposed in this manner. In spite of the fact that no financial or passport information was reported to have been taken, the breach underscores the dangers associated with third-party access points in highly interconnected environments. 

A preliminary investigation into each of these three incidents revealed that the threat actors used a phone-based phishing technique that is commonly known as "vishing" in order to manipulate airline IT departments and contractors in all three incidents. It was aimed at obtaining VPN credentials and resetting Multi-factor authentication (MFA) security settings in order to impersonate internal employees and escalate privileges within corporate systems by impersonating internal employees. 

Rather than relying on traditional technical exploits, Scattered Spider takes advantage of the trust placed in third-party vendors, such as those able to manage ticketing systems, call centres, and backend IT services. In addition to a deep understanding of aviation operations, Scattered Spider's tactical preference is to attack through a social engineering-based and identity-based attack vector rather than a traditional technical attack vector. 

Scattered Spider has been evolving its operational sophistication, and its focus is increasingly on high-ranking executives, according to a recent report from security firm ReliaQuest. In an incident disclosed last Friday, a threat group infiltrated an unidentifiedorganisationn by targeting its Chief Financial Officer (CFO), who is a role that is generally granted access and authority to the organization. 

As stated by ReliaQuest, the attackers conducted extensive reconnaissance to map the CFO's digital footprint before launching a highly targeted social engineering campaign to compromise the CFO's identity and credentials. The attackers succeeded in persuading staff members to reset the multi-factor authentication device linked to the account in order to start the intrusion process. 

They impersonated the CFO and reached out to the IT help desk in order to convince them that their account could not be protected. In the course of verifying their identity via the company's public login portal, they used previously collected information, including the CFO's birthdate and the last four digits of his Social Security Number, further legitimising their access.

As a result of their broad privileges and the high priority that their support requests receive, Scattered Spider strategically targets C-suite executives as a target due to their strategic use of these systems, allowing them to successfully impersonate C-suite executives. With impressive speed and precision, the attackers were able to escalate privileges and move laterally across the organisation's infrastructure with remarkable speed and precision once inside the organisation by using the CFO's account. 

In the post-compromise activity, it was evident that the group had an extensive understanding of enterprise environments. In order to identify privileged accounts, groups, and service principals, they initiated Entra ID enumeration to establish a platform for escalation and persistence of privileges. Moreover, they performed a SharePoint discovery to determine where sensitive data was located and how business workflows worked, followed by compromising Horizon Virtual Desktop Infrastructure (VDI), which was accompanied by further account takeovers by social engineering. 

In order to ensure that remote access would remain uninterrupted, Scattered Spider breached the organisation's VPN network infrastructure. To access VMware's vCenter platform, the group reactivated and created new virtual machines that had been decommissioned. Using elevated access, they then compromised the CyberArk password vault, taking over 1,400 credentials. In addition to disabling a production domain controller, they also extracted the NTDS.dit database containing critical Active Directory information. 

They used legitimate tools such as ngrok for persistent remote access to compromised accounts to firmly establish themselves in control of compromised accounts. When the attackers were discovered, they switched tactics, deploying a destructive "scorched-earth" attack — deleting entire policy rule collections from Azure Firewall as well as causing significant disruptions in operations. 

It is clear from this incident that Scattered Spider is an incredibly adaptable and ruthless cybercriminal organisation, which reinforces its reputation as one of the most dangerous and unpredictable cybercriminals around today. In light of Scattered Spider's increasing activity and its increasingly tailored, identity-based attack strategies, organisations should reassess the security posture of their organisation beyond conventional perimeter defences and evaluate how resilient they are. 

The threat vectors posed by this group continue to exploit human behaviour, trust-based processes, and fragmented digital ecosystems, which require defenders to adopt a proactive and intelligence-driven approach to threat detection and response. To accomplish this, robust identity verification workflows must be implemented for privileged access requests, behavioural analysis of high-value accounts must be conducted regularly, and third-party risk management policies should be strengthened. 

Additionally, organisations need to ensure that cross-functional incident response plans are in place that take social engineering intrusions, privilege abuse scenarios, and other types of threat models into account-threat models that are no longer theoretical but operationally routine for adversaries such as Scattered Spider. 

There is no doubt that cybercriminals are evolving with startup-like agility, and so defenders must also adapt to meet these demands. It is important to work collaboratively, share threat intelligence, and foster an organisational culture in which security is not just a technical function, but a core responsibility of the organisation. 

Data loss is not the only issue that is at stake anymore-the stakes now include operational continuity, brand trust, and strategic resilience as well. Rather than simply building technical defences to protect against threats such as Scattered Spider, organizations should cultivate a culture of security resilience and go beyond technical defenses. 

The purpose of red team exercises that simulate identity-based attacks, aligning executive leadership, IT, and security teams around shared accountability, and conducting adversary emulation exercises to continuously validate security assumptions is all part of the process. Keeping an organisation safe from attackers, regardless of the level of trust they exploit, requires vigilance across all levels of the organisation - strategic, operational, and human. 

Organisations that have invested in adaptive, intelligence-driven defence programs are better equipped not only to withstand such threats, but also to recover quickly and decisively if they do occur. It is no longer about building higher walls when it comes to cybersecurity—it is about outsmarting the intruders already at the gate with your help. 

With Scattered Spider utilising surgical precision and manipulating human trust, hijacking identities, and exploiting operational vulnerabilities, organizations have to reconsider what resilience is really about. The era of static defenses has come to an end. In order to respond to incident effectively, security teams need to implement adaptive strategies based on intelligence, behavior analytics, and proactive incident management. 

In order to accomplish this, rigorous identity verification processes need to be implemented, privileged user behaviour needs to be continually monitored, and third-party integrations should be more tightly vetted—areas that are increasingly exploited by cybercriminals with startup-like agility. But resilience is more than just tools and tech. 

A shared responsibility exists between executive leadership, IT, and security operations. Simulated red-team exercises that mimic real-world identity breaches are effective at exposing hidden vulnerabilities while adversary emulation challenges long-standing security assumptions. In the end, if people are going to defend themselves against adversaries such as Scattered Spider, they must adopt a defensive-in-depth philosophy where they integrate people, process, and technology.

Those companies that are committed to investing in continuous readiness—not just in the prevention of a disaster, but also in responding to one when it happens and recovering from it—will be better positioned to counter tomorrow's threats and emerge stronger from them.
Read more »
Scattered Spider
Cyber Bureau Cyberattacks CyberCrime Cybersecurity CyberThreat FBI FBI warning IT malware MGM Resorts Scattered Spider

FBI Urges Airlines to Prepare for Evolving Threat Scenarios

 


Federal investigators have warned that the cyberextortion collective known as Scattered Spider is steadily expanding its reach to cover airlines and their technology vendors, a fresh alarm that has just been sounded for the aviation sector. According to an FBI advisory, the syndicate, already infamous for having breached high-profile U.S. casinos, Fortune 500 companies, and government agencies, relies more on social engineering tactics than malicious software. 

As it masquerades as a legitimate employee or trusted contractor, its operatives communicate with help desk staff, request credentials to be reset, or convince agents to enrol rogue devices in multi-factor authentication. The carefully orchestrated deceptions enable privileged network access, resulting in data exfiltration and ransomware deployment by enabling the exploitation of malicious malware. 

In a statement published by the Bureau, it stressed that the threat "remains ongoing and rapidly evolving," and encouraged organisations to report intrusions as soon as possible, as well as reiterating its longstanding prohibition against paying ransom. A loosely organised, but extremely effective group of cybercriminals, dominated by English-speaking cybercriminals, many of whom are teenagers or young adults, is regarded by experts as Scattered Spider. 

Despite their age, the group has demonstrated a level of sophistication that rivals seasoned threat actors. The primary motive of these criminals appears to be financial gain, with most of their operations focused on stealing and extorting corporate data in the form of ransom payments and extortion. Once the attackers obtain access to sensitive data, they often exfiltrate it for ransom or resale it on the underground market, and in many instances, they use ransomware to further compel victims to cooperate. 

The distinctiveness of Scattered Spider from other cybercriminal groups lies in the way it uses social engineering tactics to gain an advantage in cybercrime. Instead of relying heavily on malware, the group utilises psychological manipulation to attack organisations' vulnerabilities. In order to pressure employees, particularly employees who work at the help desk, to surrender their access credentials or override security protocols, phishing campaigns, impersonation schemes, and even direct threats are often used. 

Some reports have indicated that attackers have used coercion or intimidation to access support staff in an attempt to expedite access to the system. As a result of the group's reliance on human engineering rather than technology tools, they have been able to bypass even the most advanced security measures, making them especially dangerous for large organisations that utilise distributed and outsourced IT support services. Their tactical changes reflect a calculated approach to breaching high-value targets swiftly, stealthily, with minimal resistance, and with speed. 

There was a stark public warning released by the Federal Bureau of Investigation on June 27, 2025, stating that the United States aviation industry is now firmly under threat from a wave of cyber-aggression that is escalating rapidly. It has been observed that, unlike traditional threats that involved physical attacks, these new threats come from highly skilled cybercriminals rather than hijackers. 

There is a cybercrime group known as Scattered Spider at the forefront of this escalating threat, widely regarded to be among the most sophisticated and dangerous actors in the digital threat landscape. The group, which was previously known for its high-impact breaches on major hospitality giants such as MGM Resorts and Caesars Entertainment, has now switched its attention to the aviation sector, signalling that the group has taken a key step in changing the way it targets the aviation sector. 

At a time when geopolitical instability worldwide is at its peak, this warning has an even greater urgency than ever. Having large-scale cyberattacks on airline infrastructure is no longer just a theoretical possibility—it has become a credible threat with serious implications for national security, economic stability, and public safety that cannot be ignored. 

A new generation of malware-driven operations, Scattered Spider, utilising advanced social engineering techniques for infiltration into networks, as opposed to traditional malware-based attacks. It has been reported that members of the group impersonate legitimate employees or contractors and make contact with internal help desks by creating convincing narratives that manipulate agents into bypassing multi-factor authentication protocols. 

Once they have entered a network, they usually move laterally with speed and precision to gain access to sensitive data and systems. Researchers from Google's Mandiant division have confirmed the group's advanced capabilities in the field of cybersecurity. According to the Chief Technology Officer of Mandiant, Charles Carmakal, Scattered Spider is adept at maintaining persistence within compromised systems, moving laterally, and elevating privileges as quickly as possible. 

It is common knowledge that a group of individuals capable of deploying ransomware within hours of first access to their computer systems are capable of doing so, thereby leaving very little time for detection and response. As a result of the FBI's warning, airlines and their vendors need to increase access controls, train their staff against social engineering, and report suspicious activity immediately. 

There has been some observation from cybersecurity experts that Scattered Spider has previously targeted a broad range of high-value sectors, such as finance, healthcare, retail, as well as the gaming industry, in the past. However, as the group appears to be shifting its focus to the aviation sector, a domain that possesses an extremely wide-open attack surface and is particularly vulnerable. 

It is important to note that the airline industry heavily relies on interconnected IT infrastructure as well as third-party service providers, which makes it extremely vulnerable to cascading effects in the case of a breach. A single compromised vendor, especially one with access to critical systems like maintenance platforms, reservation networks, or crew scheduling tools, might pose an immediate threat to multiple airline customers. 

It is the FBI's latest advisory, in which they emphasise the urgency and the evolving nature of this threat, encouraging airlines and their related vendors to reevaluate their security protocols internally and to strengthen them. Organisations are encouraged to strengthen their identity verification procedures, particularly when dealing with IT-related requests involving password resets, reconfiguring multi-factor authentication (MFA), or access permissions that are related to IT.

According to the Bureau, stricter controls should be implemented over privileged access, and staff members should be trained and made aware of social engineering tactics, as well as closely monitoring for unusual activity, such as attempts to log in from unfamiliar locations or devices that have not been previously associated with an account. The report of suspected intrusions must also be done quickly and efficiently. 

In addition to the FBI’s emphasis on early notification, law enforcement and intelligence agencies are able to trace malicious activity more effectively, which can limit the damage and prevent further compromise if it is caught in the first place. Scattered Spider has been involved in several previous operations in which not only has it stolen data, but it has also extorted money. It frequently threatens to release or encrypt sensitive data until ransom demands are met. 

Despite the fact that there is no evidence to suggest that flight safety has been directly affected, the nature of the intrusions has raised serious concerns. In light of the potential vulnerability of systems that process passenger information, crew assignments, and operational logistics, the risk for business continuity, and by extension, public trust, remains high. 

Aviation is now being called upon to act decisively in order to combat the threat of cybercriminal groups like Scattered Spider, which is not merely a back-office function but rather a core component of operational resilience. The airline IT departments, the helpdesk teams at the airlines, and third-party vendors must all implement robust identity verification processes as well as technical safeguards in order to combat the growing threat posed by cybercriminal groups like Scattered Spider. 

Among the most urgent priorities right now is strengthening the frontline defences at the level of the help desk, where attackers often exploit human error and the inexperience of employees. According to security experts, callback procedures should be established with only pre-approved internal contact numbers, callers should be required to verify a non-obvious “known secret” such as an internal training code, and a dual-approval policy should be implemented when performing sensitive actions such as resets of multi-factor authentication (MFA), especially when those accounts are privileged. 

Also, every identity enrollment should be logged and audited, with a Security Information and Event Management (SIEM) system able to trigger real-time alerts that flag suspicious behaviour. In addition, airlines are being advised to implement enhanced access controls immediately on a technical front. In combination with velocity rules, conditional access policies can be used to block login attempts and MFA enrollments from geographically improbable or high-risk locations. 

A just-in-time (JIT) privilege management process should replace static administrative access, limiting access to restricted areas of the system within limited time windows, sometimes just minutes, so that attack opportunities are reduced. Endpoint detection and response (EDR) tools must be deployed on virtual desktop environments and jump hosts so as to detect credential theft in real time. DNS-layer isolation will also provide a way for you to block outbound connections to attacker-controlled command-and-control (C2) servers, thereby preventing outbound connections from the attacker. 

There are five crucial pillars necessary to build an incident response plan tailored to aviation: identification, containment, eradication, recovery, and communication. It is essential to monitor the logs of identity providers continuously, 24 hours a day, 7 days a week, in order to detect suspicious activity early on. If an account is compromised, immediate containment measures should be triggered, including the disabling of affected accounts and the freezing of new MFA enrollments. 


In the eradication phase, compromised endpoints are reimaged and credentials are rotated in both on-premise and cloud-based identity management systems, and in the recovery phase, systems must be recovered from immutable, clean backups, and sensitive passenger data must be validated to ensure that the data is accurate. A crucial part of the process has to do with communication, which includes seamless coordination with regulatory organisations such as the Transportation Security Administration (TSA) and the Cybersecurity and Infrastructure Security Agency (CISA), as well as internal stakeholders inside and outside the organisation.

Additionally, third-party vendors, such as IT service providers, ground handlers, and catering contractors, must also be stepped up in terms of their security posture. These organisations are often exploited as entry points for island-hopping attacks, which must be taken into account. This risk can be reduced by aligning vendor identity verification protocols with those of the airlines they serve, reporting any suspicious activity related to MFA within four hours, and performing regular penetration tests, especially those that simulate social engineering attacks, in order to reduce this risk. 

Ultimately, the broader transportation sector must acknowledge that people are the weakest link in today’s threat landscape and not passwords. A zero-trust approach to help desk operations must be adopted, including scripted callbacks, rigorous identification verifications, and mandatory dual-approval processes. 

Managing coordinated threats can become increasingly challenging as ISACs (Information Sharing and Analysis Centres) play an important role in enabling rapid, industry-wide information sharing. As isolated organisations are often the first to fall victim, ISACs can play an essential role in protecting against coordinated threats. Furthermore, security budgets need to prioritise human-centred investments, such as training and resilient response procedures, rather than just the latest security technologies. 

Currently, the aviation industry faces a rapidly evolving landscape of cyber threats, particularly from adversaries as resourceful and determined as Scattered Spider. To counter these threats, both airlines and the broader ecosystem should adopt a proactive cybersecurity posture that is forward-looking. Security is no longer reactive. A proactive, intelligently driven defence must now take precedence, combining human vigilance, procedural discipline, and adaptive technology to ensure its effectiveness. 

In order to achieve this, organisations need to develop zero-trust architectures, foster a culture of security at every operational level, and integrate cybersecurity into every strategic decision they make. As a result, cross-sector cooperation should transcend compliance checklists and regulatory requirements, but instead evolve into a dynamic exchange of threat intelligence, defence tactics, and incident response insights that transcend compliance checklists and regulatory obligations. 

In the era of convergent digital and physical infrastructures, cyber complacency could lead to catastrophic outcomes that will undermine not only the continuity of operations but also public trust as well as national resilience. There is now an opportunity for aviation leaders to rethink cybersecurity as not just a technical issue, but as a strategic imperative integral to ensuring global air travel is safe, reliable, and profitable into the future.
Read more »
Scattered Spider ransomware
airline industry Cyber Attacks cyberattacks on airline FBI Hacker attack Hawaii MFA Palo Alto Networks Scattered Spider Scattered Spider ransomware

Scattered Spider Hackers Target Airline Industry Amid FBI and Cybersecurity Warnings

 

The FBI has issued a new warning about the cybercriminal group known as Scattered Spider, which is now actively targeting the airline industry. Recent cyber incidents at Hawaiian Airlines and Canadian carrier WestJet underscore the growing threat. 

According to the FBI’s advisory released late last week, Scattered Spider is known for using advanced social engineering tactics, often posing as employees or contractors. Their goal is to manipulate IT help desk teams into granting unauthorized access—frequently by requesting the addition of rogue multi-factor authentication (MFA) devices to compromised accounts.  

The group’s typical targets include large enterprises and their third-party service providers. “That puts the entire aviation supply chain at risk,” the FBI noted. Once they gain entry, the hackers typically exfiltrate sensitive information for extortion purposes and sometimes deploy ransomware as part of their attacks. The agency confirmed that it is working closely with industry partners to contain the threat and support affected organizations.  

Hawaiian Airlines reported late last week that it had detected suspicious activity in some of its IT systems. While full flight operations were not disrupted, the airline stated it was taking protective steps. “We’ve engaged with authorities and cybersecurity experts to investigate and remediate the incident,” the company said in a statement, adding that it’s focused on restoring systems and will share further updates as the situation evolves. 

Earlier in June, WestJet disclosed that it had experienced a cybersecurity event, which led to restricted access for certain users. The airline has brought in third-party experts and digital forensic analysts to investigate the breach. 

Although the culprits haven’t been officially named, recent analysis from security firm Halcyon indicates that Scattered Spider has broadened its scope, now targeting not only aviation but also sectors like food production and manufacturing. 

“These attacks are fast-moving and devastating,” Halcyon warned. “They can cripple an entire organization in just a few hours, with impacts on everything from operations to consumer trust.”

Other experts echoed these concerns. Palo Alto Networks’ Unit 42 recently advised aviation companies to be extra cautious, particularly regarding suspicious MFA reset requests and socially engineered phishing attempts.  

Darren Williams, founder and CEO of cybersecurity company BlackFog, emphasized the high value of the airline sector for cybercriminals. “Airlines manage immense volumes of sensitive customer data, making them an extremely attractive target,” he said. “With international travel surging, attackers are exploiting this pressure point.” 

Williams added that the disruptions caused by such attacks can ripple across the globe, affecting travelers, business continuity, and public confidence. “These incidents show that airlines need to invest more heavily in cybersecurity infrastructure that can protect passenger data and maintain operational integrity.”
Read more »
Scattered Spider
Cyber Attacks Cyber Breach DragonForce DragonForce Ransomware Group Hacker group Hacking Attack M&S Ransom Demand Ransomware attack Ransomwares Scattered Spider

M&S Faces £300M Loss After Cyberattack Involving DragonForce and Scattered Spider

 

Marks & Spencer has resumed its online services after a serious cyberattack earlier this year that disrupted its operations and is expected to slash profits by £300 million. The British retail giant’s digital operations were hit hard, and recent developments suggest the breach may have been orchestrated by multiple hacker groups. 

A hacking group known as DragonForce is now linked to the incident. According to reports by the BBC, the group sent an email to M&S CEO Stuart Machin shortly after the attack, boasting about their success and demanding ransom. The message, written in aggressive and alarming language, implied the group had encrypted the retailer’s servers. DragonForce, which has rebranded itself as a “Ransomware Cartel,” operates by offering malware tools to affiliates in exchange for a percentage of ransom earnings. 

Originally emerging in 2023, the group has become increasingly active on major dark web forums in recent months. While some cybersecurity experts believe the group is based in Malaysia, others speculate ties to Russia. They have also been linked to a similar attack on the Co-op. Meanwhile, another group, Scattered Spider, had earlier been suspected of executing the attack. Known for its advanced social engineering techniques, the group is composed primarily of young hackers from the US and UK. They have previously impersonated IT personnel and used SIM swapping tactics to breach organizations. 

In 2023, they gained notoriety after cyberattacks on major US casino operators like Caesars Entertainment and MGM Resorts, resulting in multi-million-dollar ransoms. The M&S cyberattack, disclosed on April 22, disrupted online orders and even stopped contactless payments in physical stores. As a result, hundreds of agency workers were temporarily relieved from duty. The company confirmed that customer data—including names, email addresses, addresses, and birth dates—was compromised during the breach. The cause, according to Machin, was human error by a third-party service provider. 

In response to the growing threat, the UK’s National Cyber Security Centre (NCSC) issued industry-wide guidance. Law enforcement agencies, including the National Crime Agency (NCA), are actively investigating the case and considering whether the incidents involving these hacker groups are interconnected. The financial impact has been significant. M&S’s market value dropped by £650 million in the days following the attack. Despite these setbacks, the company has now reopened its standard delivery service in England, Scotland, and Wales, with additional services like click-and-collect and international orders expected to follow soon. 

In a recent statement, M&S emphasized its commitment to restoring customer trust and maintaining high service standards. The company said, “Our stores have remained operational, and we’re now focused on delivering the quality and service our customers expect as we recover from this disruption.”
Read more »
Ticketmaster data breach
BreachForums cybercriminal group Data Breach NC5537 Ransomware Gang Santander Bank data theft Scattered Spider ShinyHunters Ticketmaster data breach

Cybercriminal Group UNC5537 Strikes with Major Data Breaches

 

In recent weeks, the cybercriminal group UNC5537 has made significant waves. This ransomware gang, potentially linked to ShinyHunters or Scattered Spider, stole over 560 million customer records from Ticketmaster. On May 28, they listed this data for sale on their revamped leak site, BreachForums, with a price tag of $500,000. Just two days later, the group claimed to have obtained 30 million account records from Santander Bank in Spain, demanding $2 million for the data. Both companies confirmed the breaches after these announcements.

A June 10 analysis by Mandiant, an incident-response firm now part of Google, revealed that these data leaks, along with at least 163 other breaches, were not due to system vulnerabilities but rather the exploitation of stolen credentials and inadequate multifactor authentication (MFA) controls. According to Mandiant, no evidence indicates that the breaches stemmed from Snowflake's enterprise environment. Instead, all incidents are traced back to compromised customer credentials.

While implementing MFA could have prevented the data theft from Snowflake's systems, the companies involved have broader issues beyond this single control. Businesses must ensure visibility into their attack surfaces, promptly disable accounts of former employees and contractors, and minimize entry points for attackers. Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest, emphasizes that attackers often exploit basic security lapses. "Targeting the low-hanging fruit — in this case, insecure credentials — can be achieved with little effort from the threat actor but provides ample opportunities," he notes.

Key Lessons from Recent Cloud Breaches

1. Start With MFA and Then Go Beyond

There is significant room for improvement in MFA adoption. Despite reports showing that 64% of workers and 90% of administrators use MFA, over 60% of organizations still have at least one root user or administrator without MFA enabled. According to Ofer Maor, co-founder and CTO at Mitiga, achieving consistent and verifiable MFA implementation is crucial. He suggests that companies enforce and require MFA, disable non-SSO logins, and enhance security measures with device- or hardware-based authentication for sensitive infrastructure.

2. Use Access Control Lists to Limit Authorized IP Addresses

Organizations should implement access control lists (ACLs) to restrict user access to cloud services or at least review access logs daily for anomalies. Jake Williams, a faculty analyst at IANS Research, recommends restricting IP addresses for cloud infrastructure access and emphasizes the importance of access reviews to identify unexpected access points.

3. Maximize Visibility Into Cloud Services

Continuous monitoring of applications, log data, access activity, and data aggregation services is essential for detecting and preventing attacks. Organizations need to alert on specific behaviors or threats, which could have identified the cybercriminals' attempts to access cloud data, says Brian Soby, CTO and co-founder at AppOmni.

4. Don't Rely on Your Cloud Providers' Defaults

Cloud providers often prioritize usability over security, so relying solely on their default settings can be risky. For example, Snowflake's default settings do not require MFA, making it easier for attackers with compromised credentials to gain full access. Companies must go beyond these defaults and enforce higher security standards.

5. Check Your Third Parties

Even if a company does not directly use Snowflake or another cloud service, third-party providers might, exposing their data to risk. Ensuring that all service providers handling company data follow proper security measures is essential, as highlighted by IANS Research's Williams. Reaching out to service providers to confirm their security practices is crucial in protecting data in today's complex supply chain environment.
Read more »
Scotland
cyber attack Cyber Attacks FBI Ransomware Scattered Spider Scotland

Young Hacker Linked to Scattered Spider Group Detained


 

Spanish police, aided by the FBI, have made a major breakthrough in combating cybercrime by arresting a 22-year-old man in Palma de Mallorca. The suspect, Tyler Buchanan from Dundee, Scotland, is believed to be a leading figure in the notorious hacking group Scattered Spider. Authorities apprehended Buchanan on June 15 while he was trying to board a flight to Italy. At the time of his arrest, he reportedly controlled $27 million in bitcoin.

Scattered Spider has been responsible for several major cyberattacks over the past two years. These include a significant attack on MGM Resorts in 2023 and breaches affecting companies like Twilio, LastPass, GitLab, Apple, and Walmart. Buchanan is suspected to have played a crucial role in these incidents. He is listed among the top SIM swappers, which is a technique used to take over phone numbers and access sensitive information.

This arrest follows the detention of another key Scattered Spider member, Michael Noah Urban, earlier this year. Urban was charged with stealing over $800,000 in cryptocurrency from multiple victims between 2022 and 2023. Both Buchanan and Urban are part of a broader group of young hackers, usually between 19 and 22 years old, known as 'the Community' or 'the Com'. This global network of hackers often shares their techniques and boasts about their exploits.

In May 2024, the FBI announced a crackdown on Scattered Spider, which had been targeting insurance companies since April. The arrests of Buchanan and Urban show that these efforts are making an impact. However, experts believe that the group's activities are unlikely to stop completely. Cybersecurity specialist Javvad Malik from KnowBe4 explained that cybercriminal groups are often decentralised, meaning they can quickly replace arrested members and continue their operations.

Malik pointed out that groups like Scattered Spider are resilient due to their decentralised nature. The knowledge and tools they use, such as SIM swapping, are widely shared within the cybercrime community. Online tutorials, forums, and dark web marketplaces ensure that these methods continue to spread, even when key individuals are arrested. This means that the group can persist and even grow despite law enforcement efforts.

Although the recent arrests may temporarily disrupt Scattered Spider's activities, experts predict the group will soon resume its operations with new leaders. The capture of Tyler Buchanan is a victory for law enforcement but also a reminder of the ongoing and evolving threat posed by cybercriminal organisations.


Read more »
Scattered Spider
Critical Infrastructure Cyber Attacks Data Extortion data security Scattered Spider

Scattered Spider: Hackers Attacking Commercial Sectors, Cops Troubled

Scattered Spider

Scattered Spider threat actors primarily steal data for extortion using a variety of social engineering approaches, and they have recently used BlackCat/ALPHV ransomware in addition to their usual TTPs.

According to a senior bureau official, the FBI must "evolve" to effectively stop a group of hackers who have wreaked havoc on some of the largest firms in the United States, who asked the public to be patient as law enforcement combats the criminal network.

CISA and FBI issue joint notice

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint Cybersecurity Advisory (CSA) on Scattered Spider, a cybercriminal gang that targets commercial facilities and subsectors. The advice contains tactics, methods, and procedures (TTPs) gathered from FBI investigations as recent as November 2023.

The FBI and CISA encourage network defenders and critical infrastructure companies to study the joint CSA for proposed mitigations to decrease the possibility and severity of a cyberattack by Scattered Spider actors. 

Last year, the hacking collective called Scattered Spider made international headlines for its destructive cyberattacks on gambling behemoths MGM Resorts and Caesars Entertainment. Analysts identified the hackers in 2022, who employ social engineering to trick people into disclosing their login credentials or one-time password codes to defeat multifactor authentication.

Once inside, the group — Star Fraud, UNC3944, and Octo Tempest — builds persistence in networks, living off the territory as some state-sponsored hackers do, before deploying ransomware, stealing data, and demanding ransoms from victims.

The Scattered Spider Phenomenon

1. Data Theft and Extortion

Scattered Spider’s modus operandi revolves around data theft. They infiltrate systems, exfiltrate sensitive information, and then hold it hostage for ransom. Their victims include high-profile organizations, and the stakes are high. The group’s ability to extract valuable data without detection is a testament to their skill.

2. BlackCat/ALPHV Ransomware

Scattered Spider doesn’t rely solely on traditional hacking methods. They’ve embraced ransomware, specifically the BlackCat/ALPHV variant. This malicious software encrypts victims’ files, rendering them inaccessible until a ransom is paid. The group’s proficiency in deploying ransomware underscores their adaptability.

The Social Engineering Twist

1. Human Manipulation

What sets Scattered Spider apart is their mastery of social engineering. They exploit human psychology to gain access to systems. Whether through phishing emails, impersonation, or psychological manipulation, they find the weakest link—the human element—and exploit it. Their ability to deceive and manipulate individuals is their secret weapon.

2. The Insider Threat

Scattered Spider often targets employees within organizations. An unsuspecting employee may unwittingly click a malicious link or share sensitive credentials. The group’s understanding of human behavior allows them to bypass technical defenses. Cybersecurity professionals must recognize this insider threat and educate employees accordingly.

The FBI’s Battle

1. Resource Allocation

The Federal Bureau of Investigation (FBI) is actively pursuing Scattered Spider. Their dedicated cybercrime units are tracking down group members. However, the group remains elusive, operating across borders and leaving minimal traces. The FBI’s challenge lies in balancing resources to combat this agile adversary.

2. Collaboration and Information Sharing

The FBI collaborates with international agencies, sharing intelligence and pooling resources. Scattered Spider’s attacks span continents, and global cooperation is essential. By working together, law enforcement agencies can build a comprehensive profile of the group and disrupt their operations.

Scattered Spider is a formidable adversary in the cybercrime landscape, and law enforcement agencies are actively working to counter their activities. For more information, check this advisory.

Read more »
Subscribe to: Comments (Atom)