FBI Warns Airlines, IT Providers and Vendors of Impending Threats from Scattered Spider via Impersonation

• FBI warns airlines that Scattered Spider is expanding into the aviation sector with social engineering campaigns
• Attackers may impersonate airline employees or vendors to deceive IT help desks into granting access
• If successful, hackers could access critical aviation systems, threatening flight safety and operations

The FBI has assessed that the cybercriminal group known as Scattered Spider is now shifting its focus toward the airline industry, using deceptive social engineering to launch ransomware attacks. 

The FBI statement shared on X on June 28, 2025, through the FBI’s official account warned that members of the group may impersonate insiders or employees of target airlines. They could also pose as contractors or vendors in their emails to deceive the IT help staff. 

After initiating contact with the IT or support teams via email, call, or chat, they may request access to employee accounts. Attackers may also manipulate staff into registering unknown MFA devices, granting long-term internal access to airline systems.

This social engineering attack aimed at specific individuals, undermines zero-trust controls through an MFA bypass technique.

With this approach, attackers don’t breach systems traditionally; they socially engineer access. Once they convince support staff to add a new MFA device or reset credentials, they gain access that appears legitimate, effectively walking through a door meant to keep them away.

This undermines the foundation of zero-trust architecture, which assumes that there is no inherent trust within the network. If help desks unknowingly validate attackers, it’s not the perimeter that’s broken; it’s extended to the adversary. 

Help teams are thus urged to verify each identity before granting access, regardless of the medium used.

If hackers like Scattered Spider successfully infiltrate airline systems, the consequences could be severe and far-reaching, impacting safety, operations, and public trust.

Possible outcomes of a successful breach in airline systems:

• Expose Airline Reservation Systems (ARS): Used for booking and check-ins; could expose passenger data or halt flights.
  
• Hack Global Distribution Systems (GDS): Platforms like Amadeus or Sabre; a compromise could freeze ticket sales or fare visibility.
  
• Tamper with Departure Control Systems (DCS): Enables check-in, boarding, and weight balancing, crucial to safe takeoffs.
  
• Exploit Aircraft Communication Systems (ACARS): May inject false weather or route data into pilot-ground communications.
  
• Infect Electronic Flight Bags (EFBs): Used for in-flight navigation and aircraft performance, altering these can affect flight decisions.
  
• Disrupt Crew Scheduling Systems: Could violate rest regulations, scramble assignments, and ground flights.
  
• Delay Flights via Baggage Handling: Crippling back-end systems impacts airport logistics and traveler timelines.

While not always internet-facing, systems like ACARS, EFBs, and crew scheduling platforms can be accessed indirectly. If compromised, they could relay false data to pilots, disrupt flight operations, or manipulate crew rosters. This could potentially breach aviation regulations.

Additionally, they could further cause damage such as:

• Disruption of flight operations: Hackers could tamper with crew schedules, flight dispatch systems, or gate assignments, causing delays or grounding aircraft.
• Access to passenger data: Personally identifiable information (PII), travel records, and payment details could be exfiltrated for extortion or resale.
• Ransomware lockdowns: Once inside, attackers might encrypt reservation or baggage handling systems
• Compromised third-party vendors: As airlines rely heavily on IT partners, attackers could pivot through less secure vendor systems to reach core infrastructure.
• Brand and regulatory fallout: A breach could lead to loss of customer trust, lawsuits, and heavy fines from aviation or data protection regulators.
• Intelligence gathering: In more targeted campaigns, attackers could seek insights on government-related travel, executive itineraries, or supply chain movements.
• Loyalty program fraud: Reward miles, frequent flyer points, and account credentials could be stolen and monetized, either directly or on dark markets.

Scattered Spider, also known as UNC3944, Muddled Libra, and Octo Tempest, is known for abusing legitimate remote access tools such as TeamViewer and Ngrok, according to a CISA advisory.

While their primary goal is data extortion and ransomware deployment, if undetected in aviation environments, they could be leverage access to cripple flight operations from within.

The FBI stated that they are actively working with aviation and industry partners to mitigate this activity and assist victims. 

They urged airlines to report any suspicious activity early to their local FBI office. Timely reporting enables FBI engagement, intelligence sharing, and prevention of further compromises.