Stopping Scattered Spider at the Identity Layer: Protecting Airlines from Identity-Based Cyberattacks
The Threat is Real and It’s Here Now
On Friday, June 28, 2025, the FBI issued an urgent cybersecurity alert: the notorious Scattered Spider hacking collective has expanded its targeting to include the airline industry. This isn’t a theoretical future threat, it’s happening right now. Hawaiian Airlines confirmed a cyberattack on Thursday, and Canada’s WestJet has been dealing with an ongoing breach since June 13. Both incidents bear the hallmarks of Scattered Spider operations.
For airline executives reading about yet another cybersecurity threat, this one demands immediate attention. Scattered Spider isn’t your typical cybercriminal group. They weaponize something every organization has in unlimited supply: helpful employees and IT systems that assume someone calling with the right story must be legitimate. While security teams spend millions hardening networks and patching systems, these attackers simply pick up the phone and ask nicely for the keys to the kingdom—and they get them.
Understanding the Enemy: Why Scattered Spider is Different
Scattered Spider (also known as UNC3944, Octo Tempest, and several other aliases) represents a new breed of cybercriminal. This loosely organized collective of primarily English-speaking hackers has perfected the art of social engineering at enterprise scale.
Their recent victims read like a Fortune 500 directory: MGM Resorts, Caesars Entertainment, Marks & Spencer, Twilio, and now multiple airlines. What makes them particularly dangerous is their systematic approach to identity-based attacks:
Social Engineering Excellence: They research their targets extensively, often impersonating specific employees or contractors when calling IT help desks. They know company terminology, recent projects, and organizational structure well enough to convince even experienced support staff that they’re legitimate employees.
MFA Bypass Mastery: While many organizations believe multi-factor authentication protects them, Scattered Spider has developed multiple techniques to circumvent these controls:
- MFA fatigue attacks that bombard users with push notifications until they accept one
- Convincing help desk staff to add attacker-controlled MFA devices to legitimate accounts
- SIM swapping to intercept SMS-based authentication codes
- Phone-based social engineering to extract one-time passcodes directly from users
Legitimate Tool Abuse: After gaining initial access, they use approved remote access tools and live-off-the-land techniques, making their activities difficult to distinguish from legitimate IT operations.
Why Airlines Are Perfect Targets
The aviation industry presents an irresistible combination of vulnerabilities that make it ideal for Scattered Spider attacks:
Call Center Dependencies: Scattered Spider specifically targets airline call centers, exploiting the high-volume, time-pressured environment where help desk staff process hundreds of authentication requests daily.
Complex Identity Management: Distributed teams across multiple time zones and locations create numerous potential entry points and make identity verification challenging across all touchpoints.
High-Stakes Environment: Thin operational margins and zero tolerance for downtime create pressure to restore access quickly—exactly the environment where security shortcuts occur during incident response.
High-Value Data: Extensive PII, travel patterns, cargo manifests, and operational data provide valuable monetization opportunities for attackers.
The FBI’s Warning: Attack Vectors Airlines Must Address
The recent FBI alert specifically highlights the tactics Scattered Spider uses against aviation targets:
Help Desk Infiltration: Attackers call IT support claiming to be employees who’ve lost access to their accounts. They use publicly available information about the company and specific employees to build credibility.
Third-Party Vendor Targeting: The FBI warns that “anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk.” Scattered Spider often attacks less-defended suppliers to gain access to primary targets.
MFA Device Registration Abuse: Once they convince help desk staff of their legitimacy, attackers request that new MFA devices be added to accounts they claim to own.
An Identity-First Defense Strategy
Traditional cybersecurity approaches fail against Scattered Spider because they focus on protecting systems rather than verifying identities. When attackers can convince legitimate users or help desk staff to grant access, perimeter defenses become irrelevant.
The most effective defense requires securing the identity layer itself. Here’s how identity-first security addresses each of the attack vectors the FBI warns about:
Verifiable Identity Authentication
The Challenge: Scattered Spider succeeds because authentication systems verify what users know (passwords) or have (phones, tokens) rather than who they are.
The Defense: Identity platforms that require users to prove their actual identity through biometric verification tied to government-issued identification. When someone calls the help desk claiming to be an employee, the system can definitively verify whether the caller is actually that person.
Phishing-Resistant, Passwordless Authentication
The Challenge: Traditional MFA can be bypassed through push notification fatigue, SIM swapping, or social engineering.
The Defense: Eliminating passwords entirely and using FIDO2-compliant biometric authentication that cannot be phished, fatigue-attacked, or socially engineered. There are no push notifications to accidentally accept and no codes to read over the phone.
Identity-Bound Access Controls
The Challenge: Current systems often grant access based on device compliance or network location, which can be spoofed or compromised.
The Defense: Tie every access request to a verified biometric identity. Even if attackers gain access to approved devices or networks, they cannot authenticate without the legitimate user’s biometric signature.
Centralized Identity Governance
The Challenge: Organizations lose visibility into identity-related activities across multiple systems and lack consistent identity policies.
The Defense: Centralized visibility into all identity-based access events with detailed audit trails and risk scoring. Security teams can immediately identify unusual authentication patterns or unauthorized access attempts.
Real-World Implementation Scenarios
For airline security teams wondering how this translates into practical protection, consider these scenarios:
Scenario 1: Help Desk Social Engineering A Scattered Spider attacker calls the IT help desk claiming to be a pilot who’s lost access to crew scheduling while on layover. The caller knows recent route changes, mentions specific flights, and provides the pilot’s employee ID. With traditional systems, overwhelmed help desk staff often approve password resets and MFA device additions during off-hours when supervisors aren’t available, especially when the caller sounds stressed about missing a flight assignment.
With identity-first security: Any account changes require biometric verification that cannot be provided remotely by an impersonator, regardless of how convincing their story.
Scenario 2: Contractor Account Compromise Attackers target a ground services contractor to gain access to airline systems through the supplier relationship. Traditional vendor management often relies on basic password policies and standard MFA across multiple client systems.
With identity-first security: All contractor access requires the same level of identity verification as employee access. Even if contractors’ traditional credentials are compromised, attackers cannot authenticate without their verified biometric identity.
Scenario 3: After-Hours Emergency Access An attacker claims to be a maintenance supervisor who needs urgent access to aircraft diagnostic systems for a grounded plane. They call during the night shift when fewer security personnel are available and pressure help desk staff with operational urgency.
With identity-first security: Emergency access protocols still require biometric verification, preventing attackers from exploiting time pressure and reduced oversight during off-peak hours.
Implementation Considerations for Airlines
Regulatory Compliance: Airlines operate in highly regulated environments requiring certifications like FedRAMP High Authorization, NIST 800-63-3, ISO 27001, SOC II Type 2, and ISO/IEC 30107-1 and 30107-3. Identity platforms meeting these standards demonstrate they can handle the stringent regulatory requirements airlines face across multiple jurisdictions.
Operational Continuity: Identity-based attacks can ground flights and disrupt operations for days or weeks. The MGM attack cost that organization $100 million in operational disruption. Preventing such incidents protects both revenue and reputation.
Customer Trust: High-profile breaches erode passenger confidence. Airlines that can demonstrate advanced security measures for protecting personal data gain competitive advantage in an increasingly security-conscious market.
Security Architecture: Centralizing identity verification can streamline overall security architecture while improving protection levels, reducing the complexity of managing multiple authentication systems across diverse airline operations.
The Time to Act is Now
Scattered Spider’s expansion to airlines isn’t a future threat, it’s happening right now. With the FBI issuing urgent warnings and multiple carriers breached in the last month, every organization in the aviation ecosystem faces immediate risk.
Rather than detecting attacks after they’ve begun, identity-first security prevents them from succeeding in the first place by securing the identity layer that Scattered Spider targets. The question isn’t whether your organization will face an identity-based attack—it’s whether you’ll be ready when it comes.
Contact 1Kosmos today to secure your airline’s identity layer against Scattered Spider and learn how verifiable identity authentication protects your operations, passengers, and reputation.
