A well-known cybercriminal collective, often referred to as Scattered Spider, has been identified as increasingly focusing its attacks on the aviation sector. Security agencies and private cybersecurity firms are raising alarms about a surge in social engineering attacks designed to bypass even robust security controls such as multi-factor authentication (MFA).
The group’s tactics rely heavily on impersonation techniques, where attackers pose as employees or contractors to deceive IT help desks. Through convincing scenarios, they manipulate support staff into adding unauthorized MFA devices or resetting credentials, effectively granting attackers access to privileged accounts.
Recent incidents highlight that not only airline operators but also trusted third-party IT service providers are in the crosshairs. Once inside, attackers aim to steal data, extort victims, and in many cases, deploy ransomware. Investigations have revealed that attackers often single out high-value targets, such as executives, whose accounts typically have elevated privileges and whose requests are handled with urgency by internal teams.
The attackers’ process involves detailed reconnaissance, combining information from social media, past breaches, and public data to convincingly impersonate employees. Once initial access is gained, they move swiftly, escalating privileges, compromising cloud infrastructure, and disabling recovery mechanisms. The operations often culminate in double-extortion ransomware attacks, where data theft and encryption are used in tandem for maximum leverage.
Security experts warn that these campaigns represent a shift from traditional brute-force attacks toward highly personalized identity threats. The group’s strategy blends deep social engineering, technical expertise, and aggressive tactics to compromise both cloud and on-premises environments.
In some of the latest attacks, threat actors exploited weaknesses in identity verification workflows, successfully convincing help desk staff to reset MFA devices and provide sensitive account information. In one case, attackers gained control over a company’s virtual infrastructure, shut down key systems, accessed sensitive databases, and exfiltrated password vaults, before being interrupted by the company’s response team and platform providers.
The growing threat posed by such groups underscores the need for organizations to strengthen identity verification procedures, particularly around help desk operations and account recovery processes. Relying solely on technical defenses like MFA is no longer sufficient when attackers target the people and processes behind those systems.
Companies are urged to provide realistic training for staff, implement stricter help desk protocols, and reevaluate their incident response strategies to reduce the risk posed by these evolving identity-based attack campaigns.
