In the span of just three weeks, three major airlines—Qantas, WestJet, and Hawaiian Airlines ( Aviation)—became victims of sophisticated cyberattacks. The group behind this spree? Scattered Spider, a notorious threat actor known for its use of social engineering, MFA fatigue attacks, and lateral movement through SaaS platforms.

This post unpacks the tactics, techniques, and procedures (TTPs) used by Scattered Spider and offers a technical breakdown of what security teams can learn from these high-profile incidents.

🕷 Who is Scattered Spider?

Scattered Spider (aka UNC3944, Muddled Libra, or Scatter Swine) is a financially motivated threat group active since at least 2022. Unlike traditional ransomware gangs, this group focuses on data theft via initial access vectors like social engineering and SaaS platform exploitation, often operating without deploying traditional malware or encryption payloads.

Known Tactics:

• Vishing: Voice phishing calls to help desk agents to gain credentials or bypass MFA.

• MFA Fatigue: Spamming push notifications to employees until one is accepted.

• SIM Swapping: Targeting telcos to hijack employee accounts.

• SaaS Exploitation: Gaining access to cloud platforms like Salesforce, Zendesk, or Okta to pivot deeper into infrastructure.
  

Attack Timeline: Three Airlines (Aviation), Three Breaches

1. WestJet Airlines (Canada) – June 13, 2025

• Type: IT system disruption

• Vector: Likely SaaS or help desk compromise

• Impact: Customer-facing systems briefly disrupted; flights unaffected
  

2. Hawaiian Airlines (USA) – June 26, 2025

• Type: Cybersecurity incident under investigation

• Impact: Limited IT system compromise; reported to federal authorities
  

3. Qantas Airways (Australia) – June 30–July 2, 2025

• Type: Large-scale data breach via third-party call center platform

• Records Accessed: ~6 million frequent flyer accounts

• Data Leaked:

  • Full names

  • Birth dates

  • Email and phone contacts

  • Membership numbers

• Unaffected: Credit card info, passwords, passport numbers
  

Technical Dissection of the Qantas Breach

Step 1: Initial Access via Social Engineering

Scattered Spider likely called Qantas’ third-party support center pretending to be an employee, using:

• Publicly available info (LinkedIn, email leaks)

• Deepfake voices or spoofed caller IDs (common in modern vishing campaigns)

The attackers convinced a help desk agent to:

• Reset the account password

• Disable or reset MFA settings

Step 2: SaaS Platform Compromise

Once inside the call center’s customer management platform (e.g., Zendesk or Salesforce), attackers:

• Escalated privileges using existing roles

• Queried customer databases

• Exfiltrated data through APIs or export tools

Step 3: Data Exfiltration

The stolen data included identity-rich details that can be sold on dark web forums or used in downstream phishing and impersonation attacks.

Why Airlines Are a High-Value Target

Defense-in-Depth: What Should Airlines (and Enterprises) Do?

1. Harden Help Desk Workflows

• Introduce “callback” policies for MFA resets

• Use voice biometric verification or unique pin codes for agents

• Train agents to detect urgency-based social engineering
  

2. Phishing-Resistant MFA

• Mandate FIDO2 keys (YubiKey, Titan) for staff and contractors

• Eliminate SMS-based MFA and OTPs where possible
  

3. SaaS Access Auditing

• Enable logging (Okta, Zendesk, Salesforce, etc.)

• Set up anomaly detection for mass exports, privilege escalations

• Monitor for unusual IP locations or time-of-day logins
  

4. Least Privilege & Segmentation

• Apply RBAC for third-party staff; disable unused admin accounts

• Enforce strict data access policies for support personnel
  

5. Third-Party Risk Management

• Ensure vendors adhere to minimum security standards

• Perform breach simulations and tabletop exercises

• Require breach notification SLAs in contracts
  

Final Thoughts

Scattered Spider’s attacks are a wake-up call: attackers don't need to exploit zero-days—they exploit trust. In each case, they didn’t hack the airlines; they hacked the people, processes, and vendors around them.

Security teams must evolve beyond endpoint protection and firewalls. It's about:

• Training humans

• Hardening identity workflows

• Auditing SaaS footprints

• Holding third parties accountable

As this group pivots across industries, it’s clear: if your organization uses call centers, help desks, or cloud support tools—you're in the blast radius.